The Russian state-sponsored threat actor known as APT29 is linked to an advanced phishing campaign targeting European diplomatic entities with new variants of Wineloader and Graperoder, a previously unreported malware loader codename.
“While the improved Wineloader variant is still a modular backdoor used at later stages, Grapeloader is a newly observed early stage tool used for fingerprinting, persistence and payload delivery.”
“Despite their different roles, both share similarities between chord structure, obfuscation and string decoding. Grey Peroder improves Wineloader’s anti-analytic technology while introducing more advanced stealth methods.”
The use of Wineloader was first documented in February 2024 by Zscaler Threatlabz, and the attacks harnessed wine-style lures to infect the diplomatic staff system.
The campaign was initially attributed to a threat activity cluster named SpikedWine, but subsequent analysis by Google-owned Mandiant connected to an APT29 (aka Cozy Bear or Midnight Blizzard) hacking group belonging to the Russian Foreign Intelligence Reporting Agency (SVR).
The latest set of attacks will send an email invitation impersonating an unspecified European Foreign Office to win wine, and then click on a link that uses the malware layer ZIP archive (“Wine.zip”) to trigger the deployment of the grey prober. Emails were sent from the domains from Bakenhof(.)com and silky(.)com.
The campaign is said to have selected several European countries with a special focus on the ministries of the Ministry of Foreign Affairs, as well as embassies of other European countries. There are indications that Middle East-based diplomats may also be targeted.
The ZIP archive contains three files: a dll (“appvisvsubsystems64.dll”) that acts as a dependency for running a legitimate PowerPoint executable (“Wine.exe”). Sideloaded malware acts as a loader (i.e., Grapeloader) to drop the main payload.
Malware gains persistence by modifying the Windows registry to ensure that the “Wine.exe” executable is launched every time the system is rebooted.
In addition to incorporating anti-analytic techniques such as string obfuscation and runtime API Resolving, Grapeloader is designed to collect basic information about infected hosts and extend it to external servers to obtain the next stage shellcode.
The exact nature of the payload is unknown, but Check Point said it has identified updated Wineloader artifacts uploaded to the Virustotal platform using a compilation timestamp that matches “AppVisvSubsyStems64.dll”.
“We believe this information and the fact that Grapeloader has replaced Rootsaw, the HTA downloader used in past campaigns to provide Wineloader, will ultimately lead to the deployment of Wineloader,” the cybersecurity company said.
The findings provide a detailed explanation of Harfanglab’s detailed Gameardon Pterolnk VBScript malware. This infects malicious programs in VBScript or PowerShell versions of the Russian threat actors use to all connected USB drives. The Pterolnk sample was uploaded to Virustotal from Ukraine, the main target of the hacking group between December 2024 and February 2025.
“Both tools repeatedly try to detect attached USB drives to drop LNK files when deployed to the system, and sometimes even copies of Pterolnk are attempted to detect them,” ESET said in September 2024. payload. ”
The French cybersecurity company explained that it is responsible for dynamically building the downloader and LNK dropper while running the Pterolnk VBScript file. The downloader is scheduled to run every 3 minutes, while the LNK dropper script is configured to run every 9 minutes.
The downloader adopts a modular multi-stage structure to reach out to the remote server and get additional malware. Meanwhile, LNK droppers propagate locally and network drives and hide the original files with counterparts of shortcuts that deceive existing .pdf, .docx, and .xlsx files in the root of the directory. These shortcuts are designed to run pterolnk instead upon startup.
“The scripts are designed to allow operator flexibility and allow easy changes to file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for the target system’s security solution,” says Harfanglab.
It is worth noting that the downloader and LNK droppers are referring to the same two payloads that the Symantec Threat Hunter team, part of Broadcom, revealed earlier this month as part of the attack chain that distributes updated versions of Gammasteel Stealer.
- ntuser.dat.tmcontainer00000000001.regtrans-ms (downloader)
- nttuser.dat.tmcontainer00000000002.REGTRANS-MS (LNK Dropper)
“Gummerderson operates as a key component of Russia’s cyber operations strategy, particularly in the ongoing war with Ukraine,” the company said. “Gummerson’s effectiveness lies in its tactical adaptability, not its technical refinement.”
“These modalities combine aggressive spear campaigns, rapid deployment of massively obfuscated custom malware, and redundant C2 infrastructure. The group prioritizes operational impacts on stealth exemplified towards long domains that expose DDRs to past operations.”
