Ddos 
A new wave of targeted phishing attacks aimed at European governments and diplomats is underway, with the threat group APT29 identified as the perpetrator. Check Point Research (CPR) has been closely tracking this campaign, which began in January 2025 and exhibits tactics, techniques, and procedures (TTPs) consistent with previous WINELOADER campaigns attributed to APT29.
APT29, also known as Midnight Blizzard or Cozy Bear, is a Russia-linked threat group known for targeting high-profile organizations, including government agencies and think tanks.
Impersonating a legitimate European Ministry of Foreign Affairs, APT29 distributed phishing emails with subject lines like “Wine Event,” “Diplomatic Dinner,” and “For Ambassador’s Calendar.” These emails contain links to download a malicious archive (wine.zip), launching the infection chain.
“The campaign… impersonates a major European foreign affairs ministry to distribute fake invitations to diplomatic events—most commonly, wine tasting events,” the report highlights.
The phishing payload introduces GRAPELOADER, a newly identified initial-stage loader designed for environment fingerprinting, persistence, and shellcode delivery. Packaged within a DLL named ppcore.dll, GRAPELOADER is side-loaded via a legitimate PowerPoint binary (wine.exe).
“GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery… [It] refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods,” the report explains.
GRAPELOADER gains persistence by copying itself to AppData\Local\POWERPNT\ and modifying the Windows registry’s Run key. Once operational, it polls the C2 server every 60 seconds using encrypted HTTPS POST requests and a fake Chrome user-agent, collecting data such as:
- Username and hostname
- Process name and ID
- A hardcoded campaign ID
The campaign’s sophistication is evident in GRAPELOADER’s evasion tactics:
- Custom string obfuscation routines per string
- Runtime API resolution and DLL unhooking
- Memory scanning evasion via PAGE_NOACCESS memory regions
Alongside GRAPELOADER, researchers discovered an updated variant of WINELOADER, the modular backdoor previously tied to APT29. The new sample, vmtools.dll, exhibits enhanced code mutation, junk instruction padding, and self-modifying code, indicating a shift towards anti-analysis hardening.
“WINELOADER is a well-known modular backdoor that is part of the APT29 toolset… a comparison of older and newer WINELOADER versions suggests that this backdoor has continued to evolve,” the report notes.
Just like its predecessor, WINELOADER uses RC4 encryption for both its payload unpacking and C2 communication, sending stolen system information to https[:]//bravecup[.]com/view.php.
One anomaly stands out: the User-Agent string mimics Microsoft Edge on Windows 7, a configuration that shouldn’t exist—serving as a strong IoC.
The tooling, techniques, and execution flow bear a resemblance to APT29’s previous campaigns, particularly the March 2024 wine-themed phishing operation. GRAPELOADER now replaces ROOTSAW as the first-stage stager, but DLL side-loading and registry persistence remain consistent.
“GRAPELOADER shares significant similarities with WINELOADER… including alignment in the compilation environment… and code similarity such as the string encryption mechanism”
APT29’s reappearance underscores their persistence, technical prowess, and geopolitical targeting strategy. With their adoption of multi-stage loaders, refined evasion techniques, and use of legitimate file names and institutions, this campaign reflects an evolved and agile threat actor.
Related Posts:
- Israel uses Pegasus spyware to track hostages in Gaza
- Russia-Linked Threat Actors Continue to Target Critical Infrastructure
- APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
- APT29 Strikes German Politics with WINELOADER Malware Assault
- CVE-2023-28936 allows attacker to access any arbitrary recording or room in Apache OpenMeetings
Donate