News from the AI & ML world
DeeperML
@cyberpress.org
//
Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.
The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29.
Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack.
ImgSrc: blogger.googleu
References :
The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29.
Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack.
ImgSrc: blogger.googleu
Share:
References :
- Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
- BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
- bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
- blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
- cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
- research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
- : APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
- iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
- cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
- www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
- Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
- Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
- securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
- securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
- www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
- Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
Classification:
- HashTags: #MidnightBlizzard #APT29 #SpearPhishing
- Target: European diplomatic organizations
- Attacker: Midnight Blizzard
- Malware: Grapeloader, Wineloader
- Type: Espionage
- Severity: Medium