In a strategic escalation of cyber espionage, Russian state-sponsored group Midnight Blizzard, also known as APT29 or Cozy Bear, has initiated a new spear-phishing campaign aimed at diplomatic entities across Europe, including embassies. This alarming development was reported by Check Point Research, which outlined that the campaign employs a novel malware loader named ‘GrapeLoader’ along with a revised version of the ‘WineLoader’ backdoor.
The phishing effort reportedly began in January 2025, leveraging emails masquerading as communications from a Ministry of Foreign Affairs. These emails, sent from domains such as ‘bakenhof.com’ or ‘silry.com’, invite recipients to a wine-tasting event. Embedded within is a malicious link designed to download a ZIP archive labeled ‘wine.zip’ when certain targeting criteria are satisfied. Alternatively, if these criteria fail, victims are redirected to the legitimate website of the Ministry.
The contents of the ZIP archive comprise a benign PowerPoint executable and a legitimate DLL file, alongside the malicious GrapeLoader payload (ppcore.dll). GrapeLoader employs DLL sideloading techniques to execute, gathering host information and establishing persistence via modifications to the Windows Registry. Its operations are shrouded in sophistication, including memory protection measures to evade detection by antivirus and EDR tools. The malware’s execution strategy includes a calculated ten-second delay prior to activating shellcode, further enhancing its stealth.
GrapeLoader’s primary objectives involve covert reconnaissance and the delivery of the WineLoader backdoor, which is camouflaged as a trojanized VMware Tools DLL. WineLoader itself is designed to amass detailed information from infected hosts, encompassing data such as IP addresses, Windows usernames, and process details. This intelligence is vital for determining the nature of the environment within which the malware is operating and for optimizing subsequent payload delivery targets.
Experts at Check Point emphasize that the most recent variant of WineLoader demonstrates significant advancements in obfuscation compared to its predecessors, making it increasingly resistant to reverse engineering efforts. Enhanced techniques such as RVA duplication and export table mismatches complicate the analysis process. Cybersecurity professionals are urged to adopt multi-layered defenses and maintain elevated vigilance against these evolving threats, as APT29 continues to refine its tactics and tools.
A comprehensive overview of the group’s previous activities can also be found in a report by Bleeping Computer [here](https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/).