APT29 malware targets EU diplomats
Russian state-sponsored cyber-espionage group APT29, also known as Midnight Blizzard or Cozy Bear, has been linked to a new and sophisticated phishing campaign targeting Western diplomatic missions and government entities, according to a recent report by Check Point Research.
The hacking group behind big breaches like the 2020 SolarWinds attack, is known for targeting high-profile organizations, including government agencies and think tanks. Their operations vary from targeted phishing campaigns to high-profile supply chain attacks that utilize a large array of both custom and commercial malware.
European diplomatic targets
In this latest wave of attacks, the hackers are posing as a major European Ministry of Foreign Affairs, sending out fake invites to wine tasting events. The emails include a link that, when clicked, installs a new backdoor called GRAPELOADER. The campaign seems aimed at European diplomatic targets, including embassies from non-European countries based in Europe, Check Point Research said.
In addition to GRAPELOADER, researchers also spotted a new version of the WINELOADER malware being used. Based on its compile time and how closely it resembles GRAPELOADER, it looks like this updated WINELOADER shows up in the later stages of the attack.
Wine tasting event
The phishing emails in this campaign came from at least two different domains, and were crafted to look like they came from a real person at the Ministry of Foreign Affairs. Each email included a malicious link that kicked off the download of a file called wine.zip, which carried the next stage of the attack. Interestingly, the same domain that sent the email also hosted the download link. If the first email didn’t get a bite, the attackers often followed up with more messages to boost their chances of success.
Most of the emails shared a wine-themed angle, with subject lines like Wine Event, Wine Testing Event, Wine tasting event (update date), For Ambassador’s Calendar, and Diplomatic dinner.
The attackers also took extra steps to avoid detection. The servers hosting the malware were set up to block scanning tools and automated analysis. In fact, the download would only trigger under specific conditions, like at certain times or from particular locations. If someone tried to access the link directly, it would just redirect them to the real Ministry of Foreign Affairs website, adding an extra layer of deception.
New backdoor
WINELOADER is a familiar modular backdoor long associated with APT29, which collects information such as the computer’s IP address, program name, Windows username, and process ID. GRAPELOADER is a newly spotted tool used in the early stages of attacks, Check Point said, which focuses on gathering system info, gaining persistence, and pulling down additional malware.
Even though they serve different roles, the latest version of WINELOADER and GRAPELOADER share a lot under the hood, like similar code structures, obfuscation methods, and how they handle encrypted strings.
Over time, WINELOADER has kept its core functions while refining its techniques. GRAPELOADER builds on that foundation, using advanced tricks like DLL unhooking, API resolution, and obfuscation, plus some new tactics of its own to stay under the radar.
Cyber-espionage keeps evolving
The operation highlights the evolving nature of cyber-espionage and the persistent threat posed by well-resourced nation-state actors like APT29. The increase of social engineering tactics and advanced malware underscore the urgent need for diplomatic entities to stay vigilant, strengthen their cybersecurity frameworks, and ensure staff are well-trained to recognize and respond to these increasingly sophisticated phishing threats.
