Full Report
Highlights Introduction Starting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at European governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with the WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group. APT29, also commonly referred to as Midnight Blizzard […] The post Renewed APT29 Phishing Campaign Against European Diplomats appeared first on Check Point Research.
Analysis Summary
# Threat Actor: APT29 (Midnight Blizzard / Cozy Bear)
## Attribution & Identity
The threat actor is **APT29**, a Russia-linked group.
Known aliases include **Midnight Blizzard** and **Cozy Bear**.
The group is associated with high-profile cyber espionage activities, including the **SolarWinds supply chain attack**.
## Activity Summary
Check Point Research is tracking an advanced phishing campaign, appearing to be a continuation of prior WINELOADER campaigns, launched around January 2025. The campaign impersonates a major European foreign affairs ministry to distribute malicious invitations, primarily for "wine tasting events," to compromise diplomatic entities. The actor uses a tailored approach where links either lead to malware deployment or redirect to the official Ministry website to avoid initial detection.
## Tactics, Techniques & Procedures
- **Initial Access:** Targeted spear-phishing emails impersonating a Ministry of Foreign Affairs, encouraging clicks on malicious links (e.g., leading to `wine.zip` downloads).
- **Delivery/Loader:** Deployment of a new initial-stage loader named **GRAPELOADER**.
- **Persistence/Payload Delivery:** Use of a new, improved variant of the **WINELOADER** backdoor in later stages.
- **Execution Method:** Exploitation of a legitimate PowerPoint executable (`wine.exe`) for **DLL side-loading** using a dummy dependency DLL (`AppvIsvSubsystems64.dll`).
- **Anti-Analysis:** GRAPELOADER features refined anti-analysis techniques and advanced stealth methods compared to its predecessor, WINELOADER.
- **Communication/Data Exfiltration:** WINELOADER uses an embedded **RC4 key** for string decryption and communication encryption with the C2 server.
- **Delivery Artifacts:** Malicious archive named `wine.zip`.
## Targeting
- **Sectors:** Diplomatic entities, European governments, Ministries of Foreign Affairs.
- **Geography:** European diplomatic entities, including embassies of non-European countries located in Europe. Limited targeting indications found outside Europe (e.g., diplomats in the Middle East).
- **Victims:** Ministries of Foreign Affairs across multiple European countries.
## Tools & Infrastructure
- **Malware Families used:**
- **GRAPELOADER:** Newly observed initial-stage loader (DLL: `ppcore.dll`).
- **WINELOADER:** Modular backdoor variant active in later stages.
- **Infrastructure (C2, domains, IPs):**
- **Phishing Domains:** `bakenhof[.]com`, `silry[.]com`
- **Command and Control (C2):** `ophibre[.]com`, `bravecup[.]com`
- **Download URLs:** `hxxps://silry[.]com/inva.php`, `hxxps://bakenhof[.]com/invb.php`
## Implications
APT29 continues to conduct highly targeted and sophisticated espionage operations against European diplomatic infrastructure using evolving custom malware (GRAPELOADER and updated WINELOADER). The reliance on social engineering (impersonating official entities regarding cultural events) and advanced stealth/anti-analysis techniques indicates a high-capability actor focused on long-term persistence and intelligence gathering from sensitive governmental targets.
## Mitigations
- Implement stringent email gateway security, specifically focusing on suspicious links embedded in external communications, especially those related to high-profile events or ministries.
- Develop detection rules specifically targeting the known initial execution chain (DLL side-loading via exploited legitimate executables like `wine.exe`).
- Monitor network traffic for communication attempts to identified C2 domains (`ophibre[.]com`, `bravecup[.]com`).
- Maintain awareness of APT29's TTPs, particularly their use of contextually relevant social engineering themes (e.g., diplomatic events).