Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware
Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) has launched a sophisticated phishing campaign targeting European diplomatic entities, using a new malware loader codenamed GRAPELOADER. According to Check Point Research team, this marks the latest attack by APT29, a group known for its highly targeted and sophisticated cyberattacks.
The phishing emails were designed to look like they came from the European Ministry of Foreign Affairs, inviting targets to fake wine-tasting events. The emails contained links that downloaded a malicious file (wine.zip), which hid a legitimate PowerPoint app used for DLL side-loading, a junk-filled DLL as a decoy, and the obfuscated loader GRAPELOADER.
Once executed, the malware maintained persistence via the Windows registry, collected host info, and sent it to the C2 server, awaiting further payloads. If initial attempts failed, follow-up emails were sent. The attack servers were designed to evade detection, only delivering malware under certain conditions, and otherwise redirected victims to the real Ministry website.
While investigating a GRAPELOADER phishing campaign, researchers spotted a new WINELOADER variant. It shares matching Rich-PE headers and timestamps with AppvIsvSubsystems64.dll, suggesting they’re linked in the same attack chain. Since GRAPELOADER replaced ROOTSAW, it’s believed GRAPELOADER ultimately delivers WINELOADER.
GRAPELOADER is a 64-bit DLL (ppcore.dll) used as an initial-stage downloader, triggered via its PPMain function through DLL side-loading by wine.exe. It uses junk code for bloating and employs advanced anti-analysis tactics like string obfuscation, runtime API resolving, and DLL unhooking to evade detection.
GRAPELOADER ensures persistence by copying files to a user directory and adding a registry entry to run wine.exe on startup. It then connects to the C&C server every 60 seconds, sending environment data. After receiving data, it executes shellcode in memory using advanced evasion techniques, making detection difficult.
The malware is highly targeted and leaves no traces of the next-stage payload. The TTPs ( Tactics, Techniques, and Procedures) in this campaign closely resemble those of the March 2024 WINELOADER campaign. While the infection chain was slightly modified, with GRAPELOADER replacing ROOTSAW as the initial stage, the core execution method—DLL side-loading and persistence—remained the same.
GRAPELOADER shares key similarities with WINELOADER, including matching compilation timestamps and encryption techniques, indicating both are part of the same APT29 toolkit. This suggests that WINELOADER is likely delivered in later stages of the attack.
"In this report we provide an in-depth analysis of a new wave of targeted phishing attacks aimed at government and diplomatic entities in Europe," concludes the report. "These attacks are linked to the Russian-linked APT29 (also known as Midnight Blizzard or Cozy Bear). The attackers impersonate the Ministry of Foreign Affairs of a European country, sending fake wine-tasting invitations to deploy a new malware called GRAPELOADER."
Follow me on Twitter: @securityaffairs and Facebook and Mastodon