@cyberpress.org
//
Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.
The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29.
Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack.
Recommended read:
References :
- Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
- BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
- bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
- blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
- cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
- research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
- : APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
- iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
- cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
- www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
- Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
- Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
- securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
- securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
- www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
- Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
- The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.
Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.
Recommended read:
References :
- Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
- www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
- www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
- cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
- gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
- : Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
- gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
- beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
@cyberscoop.com
//
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.
Recommended read:
References :
- cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
- Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
- techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
- www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
- Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
- CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
- Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
- industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
- Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
- Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
- cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
@ofac.treasury.gov
//
North Korean IT workers are increasingly engaging in aggressive extortion tactics against companies that unknowingly hired them. The FBI and Mandiant have issued warnings about these workers, who exploit remote access to steal sensitive data and demand ransom payments. After being discovered, some of these workers hold stolen data and proprietary code hostage, threatening to publicly release it if demands are not met. There have also been reports of workers attempting to steal code repositories, company credentials, and session cookies for further compromise.
This escalation in tactics is attributed to increased law enforcement action, sanctions, and media coverage, which have impacted the success of their schemes. The US Department of Justice has indicted several individuals, including North Korean nationals, for their involvement in elaborate "laptop farm" schemes. These schemes involve using stolen identities, forged documents and remote access software to deceive companies into hiring North Korean IT workers and generating revenue for the DPRK regime. The indicted individuals are accused of generating over $800,000, which was then laundered, highlighting the sophistication and reach of this cybercrime operation.
Recommended read:
References :
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- Cyber Security News: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- securityonline.info: North Korean IT Workers Indicted in Elaborate “Laptop Farm� Scheme to Evade Sanctions
- www.justice.gov: This highlights the evolving cybercrime tactics of North Korea
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- cybersecuritynews.com: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- www.bleepingcomputer.com: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them.
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- oodaloop.com: DoJ nabs five suspects in North Korean remote worker scheme
- www.computerworld.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.csoonline.com: DOJ indicts North Korean conspirators for remote IT work scheme
- The420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- ciso2ciso.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.the420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- Pyrzout :vm:: DOJ indicts North Korean conspirators for remote IT work scheme – Source: www.computerworld.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- www.helpnetsecurity.com: North Korean IT workers are extorting employers, FBI warns
- The Register: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- The Register - Security: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- Help Net Security: North Korean IT workers are extorting employers, FBI warns
|
|
DeeperML - #cyberespionage