APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures

The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that’s targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.

“While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery,” Check Point said in a technical analysis published earlier this week.

“Despite differing roles, both share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods.”

The use of WINELOADER was first documented by Zscaler ThreatLabz in February 2024, with the attacks leveraging wine-tasting lures to infect diplomatic staff systems.

While the campaign was first attributed to a threat activity cluster named SPIKEDWINE, a subsequent analysis by Google-owned Mandiant connected it to the APT29 (aka Cozy Bear or Midnight Blizzard) hacking group, which is affiliated with Russia’s Foreign Intelligence Service (SVR).

The latest set of attacks entails sending email invites impersonating an unspecified European Ministry of Foreign Affairs to targets for wine-tasting events, coaxing them into clicking a link that triggers the deployment of GRAPELOADER by means of a malware-laced ZIP archive (“wine.zip”). The emails were sent from the domains bakenhof[.]com and silry[.]com.

The campaign is said to have mainly singled out multiple European countries with a specific focus on Ministries of Foreign Affairs, as well as other countries’ embassies in Europe. There are indications that diplomats based in the Middle East may also have been targeted.

The ZIP archive contains three files: A DLL (“AppvIsvSubsystems64.dll”) that serves as a dependency for running a legitimate PowerPoint executable (“wine.exe”), which is then exploited for DLL side-loading to launch a malicious DLL (“ppcore.dll”). The sideloaded malware functions as a loader (i.e., GRAPELOADER) to drop the main payload.

The malware gains persistence by modifying the Windows Registry to ensure that the “wine.exe” executable is launched every time the system is rebooted.

GRAPELOADER, in addition to incorporating anti-analysis techniques like string obfuscation and runtime API resolving, is designed to collect basic information about the infected host and exfiltrate it to an external server in order to retrieve the next-stage shellcode.

Although the exact nature of the payload is unclear, Check Point said it identified updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching that of “AppvIsvSubsystems64.dll.”

“With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER,” the cybersecurity company said.

The findings come as HarfangLab detailed Gamaredon’s PteroLNK VBScript malware, which is used by the Russian threat actor to infect all connected USB drives with VBScript or PowerShell versions of the malicious program. The PteroLNK samples were uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a primary target of the hacking group.

“Both tools, when deployed on a system, repeatedly attempt to detect connected USB drives, in order to drop LNK files and in some cases also a copy of PteroLNK onto them,” ESET noted in September 2024. “Clicking on a LNK file can, depending on the particular PteroLNK version that created it, either directly retrieve the next stage from a C2 server, or execute a PteroLNK copy to download additional payloads.”

The French cybersecurity firm described PteroLNK VBScript files as heavily obfuscated and responsible for dynamically constructing a downloader and an LNK dropper during execution. While the downloader is scheduled to execute every 3 minutes, the LNK dropper script is configured to run every 9 minutes.

The downloader employs a modular, multi-stage structure to reach out to a remote server and fetch additional malware. The LNK dropper, on the other hand, propagates through local and network drives, replacing existing .pdf, .docx, and .xlsx files in the root of the directory with deceptive shortcut counterparts and hiding the original files. These shortcuts, when launched, are engineered to run PteroLNK instead.

“The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security solutions on the target system,” HarfangLab said.

It’s worth noting that the downloader and the LNK dropper refer to the same two payloads that the Symantec Threat Hunter team, part of Broadcom, revealed earlier this month as part of an attack chain distributing an updated version of the GammaSteel stealer –

• NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader)
• NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper)

“Gamaredon operates as a critical component of Russia’s cyber operations strategy, particularly in its ongoing war with Ukraine,” the company said. “Gamaredon’s effectiveness lies not in technical sophistication but in tactical adaptability.”

“Their modus operandi combines aggressive spearphishing campaigns, rapid deployment of heavily obfuscated custom malware, and redundant C2 infrastructure. The group prioritizes operational impact over stealth, exemplified by pointing their DDRs to long-standing domains publicly linked to their past operations.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com