The notorious Russian state-sponsored hacking group APT29—also known as Cozy Bear or Midnight Blizzard—has launched a stealthy cyber campaign aimed at European diplomatic entities. The campaign leverages a newly identified malware loader dubbed GRAPELOADER, alongside an enhanced version of the previously known WINELOADER backdoor.
According to a technical analysis by Check Point Research, GRAPELOADER functions as an initial-stage loader designed for fingerprinting systems, maintaining persistence, and delivering payloads. While WINELOADER continues to serve as a modular backdoor, both malware strains share obfuscated codebases, anti-analysis tactics, and advanced string decryption techniques.
How APT29 Delivers GRAPELOADER: Wine-Themed Phishing Emails
The attack starts with spear-phishing emails masquerading as wine-tasting invitations from a European Ministry of Foreign Affairs. These fraudulent messages entice targets into downloading a malware-laced ZIP file—wine.zip—from domains such as bakenhof[.]com and silry[.]com.
The ZIP archive contains:
A legitimate PowerPoint executable (wine.exe)A DLL named
AppvIsvSubsystems64.dll (used as a dependency)A malicious DLL (
ppcore.dll), side-loaded via wine.exeThis clever DLL sideloading technique enables GRAPELOADER to bypass detection and stealthily deploy the final payload.
GRAPELOADER: A Silent, Persistent Intruder
Once executed, GRAPELOADER modifies the Windows Registry to ensure persistence by launching wine.exe on every system reboot. The malware then:
Communicates with a remote server
Downloads the next-stage shellcode, believed to be WINELOADER
Check Point’s analysis reveals that GRAPELOADER has replaced ROOTSAW, a former HTA downloader, confirming its role in the APT29 infection chain.
A Wider Campaign: Diplomats in Europe and the Middle East Targeted
The cyber espionage effort appears to primarily target:
Ministries of Foreign Affairs across EuropeForeign embassies within Europe
Possible diplomatic missions in the Middle East
This indicates a broad geopolitical motive, aligning with Russia’s intelligence-gathering strategies.
Gamaredon Resurfaces with PteroLNK Malware Campaign
In parallel, the Gamaredon threat group, another actor tied to Russian cyber operations, has ramped up attacks using PteroLNK—a VBScript-based malware that infects USB drives with LNK and PowerShell scripts.
Key Findings by HarfangLab and ESET:
1. PteroLNK actively drops LNK files to all connected drives2. Scripts are heavily obfuscated and execute every few minutes
3. The malware replaces common files (.pdf, .docx, .xlsx) with shortcut files that trigger malware execution
4. Designed for modularity, rapid deployment, and evasion
Symantec Threat Hunter identified similar payloads (NTUSER.DAT.TMContainer...) linked to the GammaSteel stealer. These findings highlight Gamaredon’s focus on impact over stealth, using aggressive and adaptive strategies to maintain persistent access.
Final Thoughts
APT29’s deployment of GRAPELOADER showcases the evolving sophistication of state-sponsored cyber espionage. By using seemingly harmless wine-tasting themes and stealthy sideloading techniques, these actors continue to bypass traditional defenses.
As threats grow more deceptive and multi-layered, organizations—especially those in diplomatic and government sectors—must bolster their defenses with behavioral detection, network segmentation, and ongoing threat intelligence monitoring.