The Russian state-sponsored menace actor referred to as APT29 has been linked to a complicated phishing marketing campaign that is concentrating on diplomatic entities throughout Europe with a brand new variant of WINELOADER and a beforehand unreported malware loader codenamed GRAPELOADER.
“Whereas the improved WINELOADER variant continues to be a modular backdoor utilized in later phases, GRAPELOADER is a newly noticed initial-stage instrument used for fingerprinting, persistence, and payload supply,” Test Level mentioned in a technical evaluation printed earlier this week.
“Regardless of differing roles, each share similarities in code construction, obfuscation, and string decryption. GRAPELOADER refines WINELOADER’s anti-analysis strategies whereas introducing extra superior stealth strategies.”
The usage of WINELOADER was first documented by Zscaler ThreatLabz in February 2024, with the assaults leveraging wine-tasting lures to contaminate diplomatic employees methods.
Whereas the marketing campaign was first attributed to a menace exercise cluster named SPIKEDWINE, a subsequent evaluation by Google-owned Mandiant linked it to the APT29 (aka Cozy Bear or Midnight Blizzard) hacking group, which is affiliated with Russia’s Overseas Intelligence Service (SVR).
The most recent set of assaults entails sending electronic mail invitations impersonating an unspecified European Ministry of Overseas Affairs to targets for wine-tasting occasions, coaxing them into clicking a hyperlink that triggers the deployment of GRAPELOADER via a malware-laced ZIP archive (“wine.zip”). The emails have been despatched from the domains bakenhof[.]com and silry[.]com.
The marketing campaign is claimed to have primarily singled out a number of European nations with a particular give attention to Ministries of Overseas Affairs, in addition to different nations’ embassies in Europe. There are indications that diplomats primarily based within the Center East may additionally have been focused.
The ZIP archive comprises three recordsdata: A DLL (“AppvIsvSubsystems64.dll”) that serves as a dependency for working a reputable PowerPoint executable (“wine.exe”), which is then exploited for DLL side-loading to launch a malicious DLL (“ppcore.dll”). The sideloaded malware capabilities as a loader (i.e., GRAPELOADER) to drop the primary payload.
The malware positive aspects persistence by modifying the Home windows Registry to make sure that the “wine.exe” executable is launched each time the system is rebooted.
GRAPELOADER, along with incorporating anti-analysis strategies like string obfuscation and runtime API resolving, is designed to gather fundamental details about the contaminated host and exfiltrate it to an exterior server with a purpose to retrieve the next-stage shellcode.
Though the precise nature of the payload is unclear, Test Level mentioned it recognized up to date WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching that of “AppvIsvSubsystems64.dll.”
“With this data, and the truth that GRAPELOADER changed ROOTSAW, an HTA downloader utilized in previous campaigns to ship WINELOADER, we imagine that GRAPELOADER in the end results in the deployment of WINELOADER,” the cybersecurity firm mentioned.
The findings come as HarfangLab detailed Gamaredon’s PteroLNK VBScript malware, which is utilized by the Russian menace actor to contaminate all linked USB drives with VBScript or PowerShell variations of the computer virus. The PteroLNK samples have been uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a main goal of the hacking group.
“Each instruments, when deployed on a system, repeatedly try to detect linked USB drives, with a purpose to drop LNK recordsdata and in some instances additionally a replica of PteroLNK onto them,” ESET famous in September 2024. “Clicking on a LNK file can, relying on the actual PteroLNK model that created it, both immediately retrieve the following stage from a C2 server, or execute a PteroLNK copy to obtain further payloads.”
The French cybersecurity agency described PteroLNK VBScript recordsdata as closely obfuscated and accountable for dynamically developing a downloader and an LNK dropper throughout execution. Whereas the downloader is scheduled to execute each 3 minutes, the LNK dropper script is configured to run each 9 minutes.
The downloader employs a modular, multi-stage construction to achieve out to a distant server and fetch further malware. The LNK dropper, however, propagates via native and community drives, changing current .pdf, .docx, and .xlsx recordsdata within the root of the listing with misleading shortcut counterparts and hiding the unique recordsdata. These shortcuts, when launched, are engineered to run PteroLNK as a substitute.
“The scripts are designed to permit flexibility for his or her operators, enabling straightforward modification of parameters akin to file names and paths, persistence mechanisms (registry keys and scheduled duties), and detection logic for safety options on the goal system,” HarfangLab mentioned.
It is value noting that the downloader and the LNK dropper confer with the identical two payloads that the Symantec Menace Hunter workforce, a part of Broadcom, revealed earlier this month as a part of an assault chain distributing an up to date model of the GammaSteel stealer –
- NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader)
- NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper)
“Gamaredon operates as a important element of Russia’s cyber operations technique, notably in its ongoing battle with Ukraine,” the corporate mentioned. “Gamaredon’s effectiveness lies not in technical sophistication however in tactical adaptability.”
“Their modus operandi combines aggressive spearphishing campaigns, speedy deployment of closely obfuscated customized malware, and redundant C2 infrastructure. The group prioritizes operational affect over stealth, exemplified by pointing their DDRs to long-standing domains publicly linked to their previous operations.”
