Ethical Hacking News
A new variant of WINELOADER malware has been linked to a phishing campaign targeting diplomatic entities across Europe, as part of an APT29 (Cozy Bear or Midnight Blizzard) attack. GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery.
The APT29 attack campaign targets diplomatic entities across Europe with a new variant of WINELOADER malware. The campaign uses an advanced phishing technique, sending emails impersonating an European Ministry of Foreign Affairs to trick targets into clicking on a malicious link. The malware, GRAPELOADER, is designed to collect basic information about the infected host and exfiltrate it to an external server to retrieve next-stage shellcode. PteroLNK VBScript malware is another tool used by Russian threat actor Gamaredon to infect connected USB drives with VBScript or PowerShell versions of the malicious program. The PteroLNK malware dynamically constructs a downloader and an LNK dropper during execution, allowing flexibility for its operators to modify parameters and evade detection.
The threat landscape of cyber espionage has witnessed numerous sophisticated campaigns in recent years, each leaving behind a trail of deception and malicious intent. One such campaign that has garnered significant attention from cybersecurity experts is the APT29 attack, which has been linked to an advanced phishing campaign targeting diplomatic entities across Europe with a new variant of WINELOADER malware. This article delves into the intricacies of the APT29's GRAPLOADER and WINELOADER malware, exploring their functionality, tactics, techniques, and procedures (TTPs) employed by the threat actor.
In a recent technical analysis published earlier this week, Check Point revealed that the Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign targeting diplomatic entities across Europe with a new variant of WINELOADER malware. The campaign, which has been attributed to the APT29 (aka Cozy Bear or Midnight Blizzard) hacking group, is believed to have originated from a threat activity cluster named SPIKEDWINE.
The campaign entails sending email invites impersonating an unspecified European Ministry of Foreign Affairs to targets for wine-tasting events, coaxing them into clicking a link that triggers the deployment of GRAPELOADER by means of a malware-laced ZIP archive ("wine.zip"). The emails were sent from the domains bakenhof[.]com and silry[.]com. The campaign is said to have mainly singled out multiple European countries with a specific focus on Ministries of Foreign Affairs, as well as other countries' embassies in Europe.
According to Check Point, the ZIP archive contains three files: A DLL ("AppvIsvSubsystems64.dll") that serves as a dependency for running a legitimate PowerPoint executable ("wine.exe"), which is then exploited for DLL side-loading to launch a malicious DLL ("ppcore.dll"). The sideloaded malware functions as a loader (i.e., GRAPELOADER) to drop the main payload.
GRAPELOADER, in addition to incorporating anti-analysis techniques like string obfuscation and runtime API resolving, is designed to collect basic information about the infected host and exfiltrate it to an external server in order to retrieve the next-stage shellcode. Although the exact nature of the payload is unclear, Check Point said it identified updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching that of "AppvIsvSubsystems64.dll."
The use of GRAPELOADER was first documented by Zscaler ThreatLabz in February 2024, with the attacks leveraging wine-tasting lures to infect diplomatic staff systems. While the campaign was first attributed to a threat activity cluster named SPIKEDWINE, a subsequent analysis by Google-owned Mandiant connected it to the APT29 (aka Cozy Bear or Midnight Blizzard) hacking group, which is affiliated with Russia's Foreign Intelligence Service (SVR).
In addition to the APT29 campaign, there have been reports of another malicious tool dubbed PteroLNK VBScript malware, which is used by the Russian threat actor to infect all connected USB drives with VBScript or PowerShell versions of the malicious program. The PteroLNK samples were uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a primary target of the hacking group.
ESET described PteroLNK VBScript files as heavily obfuscated and responsible for dynamically constructing a downloader and an LNK dropper during execution. While the downloader is scheduled to execute every 3 minutes, the LNK dropper script is configured to run every 9 minutes. The downloader employs a modular, multi-stage structure to reach out to a remote server and fetch additional malware. The LNK dropper, on the other hand, propagates through local and network drives, replacing existing .pdf, .docx, and .xlsx files in the root of the directory with deceptive shortcut counterparts and hiding the original files.
The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security solutions on the target system. Gamaredon operates as a critical component of Russia's cyber operations strategy, particularly in its ongoing war with Ukraine.
The findings come as HarfangLab detailed Gamaredon's PteroLNK VBScript malware, which is used by the Russian threat actor to infect all connected USB drives with VBScript or PowerShell versions of the malicious program. The PteroLNK samples were uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a primary target of the hacking group.
"Both tools, when deployed on a system, repeatedly attempt to detect connected USB drives, in order to drop LNK files and in some cases also a copy of PteroLNK onto them," ESET noted in September 2024. "Clicking on a LNK file can, depending on the particular PteroLNK version that created it, either directly retrieve the next stage from a C2 server, or execute a PteroLNK copy to download additional payloads."
The French cybersecurity firm described PteroLNK VBScript files as heavily obfuscated and responsible for dynamically constructing a downloader and an LNK dropper during execution. While the downloader is scheduled to execute every 3 minutes, the LNK dropper script is configured to run every 9 minutes.
"The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security solutions on the target system," HarfangLab said.
In conclusion, APT29's GRAPLOADER and WINELOADER malware campaigns demonstrate the sophistication and cunning of Russian state-sponsored threat actors. The use of wine-tasting lures in conjunction with sophisticated malware loaders and payload delivery systems highlights the evolving tactics employed by these groups to target high-value assets.
Related Information:
https://www.ethicalhackingnews.com/articles/APT29s-Cunning-Phishing-Campaign-Unveiling-GRAPELOADER-and-WINELOADER-Malware-ehn.shtml
https://thehackernews.com/2025/04/apt29-deploys-grapeloader-malware.html
https://www.bleepingcomputer.com/news/security/midnight-blizzard-deploys-new-grapeloader-malware-in-embassy-phishing/
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
https://www.forbes.com/sites/jamesfarrell/2024/03/08/who-is-midnight-blizzard-russian-linked-group-has-repeatedly-targeted-microsoft-company-says/
Published: Sun Apr 20 01:22:06 2025 by llama3.2 3B Q4_K_M
