APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats

A sophisticated cyber-espionage operation attributed to the Russian-linked group APT29, also known as Midnight Blizzard or Cozy Bear, has been uncovered targeting European diplomatic entities.

Starting January 2025, Check Point Research (CPR) observed a coordinated phishing campaign in which attackers impersonated a prominent European Ministry of Foreign Affairs, distributing malicious invitations to fabricated wine-tasting events.

The emails delivered links leading to a new backdoor, dubbed GRAPELOADER, marking a notable evolution in the threat group’s attack methodology.

APT29 has a history of targeting governmental and diplomatic organizations, previously linked to the infamous SolarWinds supply chain attack.

In this latest campaign, the group continues leveraging socially engineered phishing lures to initiate infection chains.

The attack emails, sent from domains such as bakenhof[.]com and silry[.]com, were designed to bypass security by mimicking legitimate diplomatic correspondence and included clickable links leading to malicious ZIP archives.

GRAPELOADER: Technical Deep Dive

The attack involves downloading a malicious archive named wine.zip, containing a trojanized PowerPoint executable (wine.exe) used for DLL side-loading, a junk code-laced dependency DLL (AppvIsvSubsystems64.dll), and the main malicious payload a heavily obfuscated DLL (ppcore.dll), identified as GRAPELOADER.

Upon execution, GRAPELOADER establishes persistence by copying its payload to the user’s AppData directory and modifying the Windows registry Run key, ensuring ongoing execution on system reboot.

GRAPELOADER’s primary role is to fingerprint the infected environment, exfiltrate system data (such as host name and username), and await further instructions from its command-and-control (C2) server.

Communication occurs via encrypted HTTPS POST requests to ophibre[.]com, while the malware employs robust anti-analysis measures, including multi-stage string obfuscation, runtime API resolving, in-memory DLL unhooking, and code bloating with junk instructions.

The loader’s evasion tactics also include in-memory shellcode execution that minimizes disk artifacts and uses staged memory protections to delay detection by endpoint security solutions.

Evolution of WINELOADER

Parallel to the detection of GRAPELOADER, security researchers observed a new variant of the WINELOADER backdoor, a modular and obfuscated malware previously associated with APT29.

The new variant, delivered as vmtools.dll, employs a unique export structure and self-modifying code to further complicate static analysis.

WINELOADER’s updated string and C2 communication encryption routines echo those found in GRAPELOADER, highlighting shared development practices and toolset evolution within the APT29 group.

Both malware families now use immediate zeroing of decrypted memory and RC4 key-based encryption, which significantly impedes traditional automated malware analysis tools.

These IoCs serve as critical detection and prevention points for organizations at risk, particularly those within government and diplomatic sectors in Europe and, potentially, the Middle East.

The current APT29 campaign underscores the group’s continued investment in sophisticated, customized malware toolsets and evolving anti-forensic techniques.

By deploying GRAPELOADER as a stealthy initial-stage loader and updating WINELOADER with advanced obfuscation, APT29 increases its resilience against detection and forensic analysis.

Organizations are urged to update detection mechanisms using shared IoCs and reinforce user awareness against highly convincing social engineering attacks.

The persistent innovation in APT29’s TTPs signals an ongoing high threat level to diplomatic targets across the region.

Indicators of Compromise (IoCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates