A complex phishing campaign, attributed to the Russian state-sponsored threat actor APT29, is actively targeting diplomatic entities across Europe. The campaign employs a novel malware loader, dubbed GRAPELOADER, alongside an updated variant of the WINELOADER backdoor.

GRAPELOADER: A New Tool in APT29’s Arsenal

Check Point researchers have identified GRAPELOADER as a previously undocumented initial-stage tool. According to their technical analysis, GRAPELOADER is designed for fingerprinting systems, establishing persistence, and delivering malicious payloads. While the improved WINELOADER variant is still a modular backdoor used in later stages,GRAPELOADER is a newly observed initial-stage tool used for fingerprinting,persistence,and payload delivery, Check Point stated in their report.

Despite their distinct roles,GRAPELOADER and WINELOADER share similarities in code structure,obfuscation techniques,and string decryption methods. GRAPELOADER enhances WINELOADER’s anti-analysis capabilities while introducing more advanced stealth tactics.

Wine-Tasting Lures and Malicious ZIP Archives

the attackers are using email invitations, masquerading as communications from a European Ministry of Foreign Affairs, to entice targets to wine-tasting events. These emails contain a link that,when clicked,initiates the deployment of GRAPELOADER via a malware-laden ZIP archive named “wine.zip.” The emails originate from the domains bakenhof[.]com and silry[.]com.

The campaign primarily targets Ministries of Foreign Affairs in multiple European countries, as well as embassies located in Europe.There are also indications that diplomats based in the Middle East may be targeted.

Technical Breakdown of the Attack

The “wine.zip” archive contains three key files:

• AppvIsvSubsystems64.dll: A legitimate DLL that acts as a dependency for the PowerPoint executable.
• wine.exe: A legitimate PowerPoint executable that is exploited for DLL side-loading.
• ppcore.dll: A malicious DLL that functions as GRAPELOADER, dropping the main payload.

The attack leverages DLL side-loading, a technique were a legitimate submission (wine.exe) is tricked into loading a malicious DLL (ppcore.dll). GRAPELOADER achieves persistence by modifying the Windows Registry, ensuring that “wine.exe” is launched upon system reboot.

GRAPELOADER’s Capabilities and Connection to WINELOADER

GRAPELOADER incorporates anti-analysis techniques, such as string obfuscation and runtime API resolving, to evade detection.It collects basic information about the infected host and transmits it to an external server to retrieve the next-stage shellcode.

Check Point believes that GRAPELOADER ultimately leads to the deployment of WINELOADER. With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER, the cybersecurity company stated.

Gamaredon’s PteroLNK: another russian Threat

In related news, HarfangLab has detailed Gamaredon’s PteroLNK VBScript malware, which is used to infect connected USB drives.This malware targets Ukraine, a primary focus of the hacking group.

ESET noted that both tools, when deployed on a system, repeatedly attempt to detect connected USB drives, to drop LNK files and in certain specific cases also a copy of PteroLNK onto them. Clicking on a LNK file can retrieve the next stage from a command-and-control server or execute a PteroLNK copy to download additional payloads.

The PteroLNK VBScript files are heavily obfuscated and dynamically construct a downloader and an LNK dropper during execution. the downloader fetches additional malware, while the LNK dropper propagates through local and network drives, replacing existing files with deceptive shortcuts.

HarfangLab explained, The scripts are designed to allow versatility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security solutions on the target system.

GammaSteel Stealer and gamaredon’s Tactics

The downloader and LNK dropper used by PteroLNK are linked to an attack chain distributing an updated version of the GammaSteel stealer. The specific files involved are:

• NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader)
• NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper)

According to broadcom’s Symantec Threat Hunter team, Gamaredon operates as a critical component of Russia’s cyber operations strategy, particularly in its ongoing war with Ukraine. The group’s effectiveness stems from tactical adaptability rather than technical sophistication.

Their modus operandi combines aggressive spearphishing campaigns, rapid deployment of heavily obfuscated custom malware, and redundant C2 infrastructure. The group prioritizes operational impact over stealth, exemplified by pointing their DDRs to long-standing domains publicly linked to their past operations, the company added.