A new spear-phishing campaign attributed to Russian state-sponsored hacking group Midnight Blizzard (also known as Cozy Bear or APT29) has been discovered targeting European diplomatic entities, including embassies, according to cybersecurity firm Check Point Research.
The campaign, active since January 2025, employs a deceptive email disguised as a wine-tasting event invitation from a spoofed Ministry of Foreign Affairs address. The phishing emails include a malicious link that, when clicked under specific conditions, delivers a ZIP archive titled wine.zip. If the conditions aren't met, the victim is redirected to a legitimate government site, adding credibility to the ruse.
The archive contains three components: a legitimate PowerPoint file (wine.exe), a required DLL, and a new malicious loader dubbed GrapeLoader. The attack uses DLL sideloading to execute the malware, which gathers host system data, establishes persistence via Windows Registry changes, and communicates with a remote server to retrieve additional malicious code.
GrapeLoader appears to replace the group’s older RootSaw loader, with enhanced stealth techniques like memory protections (PAGE_NOACCESS) and delayed shellcode execution via ResumeThread to evade antivirus and endpoint detection tools.
Once deployed, GrapeLoader facilitates the delivery of a new variant of WineLoader, a modular backdoor disguised as a VMware Tools DLL. WineLoader collects detailed system information such as IP addresses, process names, usernames, and privilege levels.
Check Point researchers say that the new WineLoader variant is significantly more complex, featuring heavy obfuscation, including RVA duplication, export table inconsistencies, and junk code to impede reverse engineering. Researchers says they were unable to capture the full capabilities of WineLoader’s second-stage payload due to the malware’s in-memory execution and the campaign's precision targeting.
