A sophisticated phishing campaign by Russian-linked threat group APT29 has been actively targeting European diplomatic entities since January 2025, according to a recent security report. Additionally, the malware employs an evasion technique when executing shellcode by temporarily marking memory regions as non-accessible during security scans before making them executable for malicious code execution. The campaign, believed to be a continuation of previous operations that utilized the WINELOADER backdoor, now employs a new malware loader called GRAPELOADER as its initial infection vector. Check Point researchers identified the campaign through continuous monitoring of APT29 activities, noting the significant similarities between this operation and previous campaigns attributed to the threat actor, also known as Midnight Blizzard or Cozy Bear. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The infection chain leverages DLL side-loading techniques to execute the malicious code while evading detection by security solutions. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attackers, impersonating a major European Ministry of Foreign Affairs, send phishing emails containing invitations to diplomatic events—primarily wine tasting gatherings. These emails include malicious links that, when clicked, initiate the download of an archive (wine.zip) containing the GRAPELOADER malware. GRAPELOADER serves as an initial-stage tool designed for fingerprinting infected environments, establishing persistence, and retrieving next-stage payloads—likely the improved WINELOADER variant also discovered during the investigation. The malware’s sophisticated evasion techniques include an elaborate approach to string obfuscation that effectively defeats common analysis tools. GRAPELOADER also implements runtime API resolving and DLL unhooking techniques to bypass security monitoring. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Each string is processed using three unique functions tailored to specific strings: one retrieves the encrypted byte blob, another decrypts it, and a third immediately zeroes out the memory after use.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 14:15:14 +0000