Security researchers have linked the Russian state-sponsored threat actor APT29 to a sophisticated phishing campaign targeting diplomatic entities across Europe. The operation employs a new variant of WINELOADER and introduces a previously undocumented malware loader codenamed GRAPELOADER.
"While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery," Check Point revealed in a technical analysis published earlier this week.
"Despite differing roles, both share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines WINELOADER's anti-analysis techniques while introducing more advanced stealth methods."
Attack Evolution and Attribution
WINELOADER was first documented by Zscaler ThreatLabz in February 2024, with initial attacks using wine-tasting lures to compromise diplomatic staff systems. While originally attributed to a threat cluster named SPIKEDWINE, Google-owned Mandiant later connected the campaign to APT29 (also known as Cozy Bear or Midnight Blizzard), a hacking group affiliated with Russia's Foreign Intelligence Service (SVR).
Current Campaign Details
The latest attacks involve:
- Phishing emails impersonating an unspecified European Ministry of Foreign Affairs
- Invitations to wine-tasting events containing malicious links
- Deployment of GRAPELOADER via a malware-laden ZIP archive ("wine.zip")
- Emails sent from domains bakenhof[.]com and silry[.]com
The campaign primarily targets European Ministries of Foreign Affairs and embassies in Europe, with evidence suggesting diplomats in the Middle East may also be targeted.
Technical Infection Chain
The ZIP archive contains three components:
- A legitimate PowerPoint executable ("wine.exe")
- A DLL dependency ("AppvIsvSubsystems64.dll")
- A malicious DLL ("ppcore.dll") exploited through DLL side-loading
The malware achieves persistence by modifying the Windows Registry to ensure "wine.exe" launches on system reboot.
GRAPELOADER Capabilities
GRAPELOADER incorporates several advanced features:
- Anti-analysis techniques including string obfuscation
- Runtime API resolving
- Host information collection
- Data exfiltration to external servers
- Shellcode retrieval functionality
While the exact payload remains unclear, Check Point identified updated WINELOADER artefacts with matching compilation timestamps, suggesting "GRAPELOADER ultimately leads to the deployment of WINELOADER."
Related Russian Threat Activity
In a separate development, HarfangLab detailed Gamaredon's PteroLNK VBScript malware, used by Russian threat actors to infect connected USB drives. These samples were uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a primary target of the group.
The PteroLNK malware features:
- USB drive infection capabilities
- LNK file dropping functionality
- Heavily obfuscated VBScript files
- Modular, multi-stage downloader structure
- File replacement techniques targeting PDF and Office documents
According to Symantec's Threat Hunter team (part of Broadcom), this attack chain distributes an updated version of the GammaSteel stealer through two main payloads masquerading as registry transaction files.
"Gamaredon operates as a critical component of Russia's cyber operations strategy, particularly in its ongoing war with Ukraine," Symantec noted. "Their effectiveness lies not in technical sophistication but in tactical adaptability."