A new spear-phishing campaign orchestrated by the Russian state-sponsored group Midnight Blizzard is targeting diplomatic entities across Europe. This campaign introduces a novel malware loader named 'GrapeLoader' alongside a new variant of the 'WineLoader' backdoor.

Overview of the Cyberattack

Midnight Blizzard, also known as 'Cozy Bear' or 'APT29,' is linked to Russia's Foreign Intelligence Service (SVR). Their latest campaign, identified by Check Point Research, began in January 2025. It involves phishing emails masquerading as invitations to a wine-tasting event, purportedly from a Ministry of Foreign Affairs.

Phishing Methodology

The phishing emails are sent from domains such as 'bakenhof[.]com' or 'silry[.]com.' They contain a malicious link that, if the target conditions are met, downloads a ZIP archive named 'wine.zip.' If not, the link redirects to the legitimate Ministry website.

  • ZIP Archive Contents: The archive includes a legitimate PowerPoint executable (wine.exe), a necessary DLL file, and the malicious GrapeLoader payload (ppcore.dll).
  • Execution Method: GrapeLoader is executed via DLL sideloading, which gathers host information, modifies the Windows Registry for persistence, and contacts a command-and-control (C2) server to load shellcode into memory.

Technical Details of GrapeLoader

GrapeLoader is believed to replace the previously used HTA loader 'RootSaw,' offering enhanced stealth and sophistication. It employs 'PAGE_NOACCESS' memory protections and introduces a 10-second delay before executing shellcode via 'ResumeThread' to evade detection by antivirus and EDR systems.

Stealthy Payload Execution

The primary functions of GrapeLoader in this campaign are to conduct stealthy reconnaissance and deliver the WineLoader backdoor. WineLoader is disguised as a trojanized VMware Tools DLL file, facilitating espionage operations.

Capabilities of WineLoader

WineLoader is a modular backdoor designed to collect detailed host information, aiding in espionage activities. The data gathered includes IP addresses, process names, Windows user names, machine names, Process IDs, and privilege levels.

  • Data Collection: This information helps identify sandbox environments and assess targets for deploying additional payloads.
  • Obfuscation Techniques: The new WineLoader variant is heavily obfuscated using RVA duplication, export table mismatches, and junk instructions, complicating reverse engineering efforts.

Challenges in Analysis

String obfuscation in the new WineLoader variant has significantly evolved, disrupting automated string extraction and deobfuscation processes. As a result, Check Point was unable to retrieve the full second-stage payload or additional plugins, leaving some capabilities of the malware unclear.

The link has been copied!