The Russian state -owned threatening actor known as APT29 was associated with an advanced phishing company that focuses on diplomatic structures across Europe with a new Wineloader version and previously unregistered malicious programs called Grapeloader.
“Although the improved Wineloader option is still a modular back used in the following stages, Grapeloader is a recently observed tool from the initial stage used for fingerprint, perseverance and delivery of useful load” – Note In a technical analysis published earlier this week.
“Despite the different roles, both share similarities in the code structure, burdenship and transcript of the lines. The Grapeloader clarifies the methods of Wineloader anti -timing, introducing more advanced stealth methods.”
Using Wineloader was First documented From Zscaler Opherlabz in February 2024, with the help of attacks that use baits that earn wine to infect diplomatic staff.
While the company was first associated with the cluster of activity named Spikedwine, the following analysis belonging Google, Mandiant owned by Google united This is up to Hacking Group APT29 (aka a cozy bear or northern barn), which is connected with the Russian Foreign Intelligence Service (SVR).
The latest set of attacks entails sending an e -mail that offers attention to the uncertain European Ministry of Foreign Affairs for the purpose of wine tasting activities, making them a link that launches the deployment of Grapeloader using an angry software archive (“wine.zip”). E -mails were sent from Bakenhof domains (.) Com and Silry (.) Com.
The company is said to have mainly nominated several European countries with a certain focus on the foreign ministries, as well as the embassies of other countries in Europe. There are signs that diplomats based in the Middle East can also be aimed.
The ZIP archive contains three files: Dll (“Appvisvsubsystems64.dll”), which serves as a dependence to launch the legitimate executed PowerPoint (“Wine.exe”), which is then used to download DLL to launch from angry dll (“ppcore.dll”). The side -loaded malicious software operates as a loader (ie, Grapeloader) to give up the main useful load.
Malicious software acquires perseverance by changing the Windows registry to ensure that the executable file “wine.exe” starts every time the system is restarted.
Grapeloader, in addition to the inclusion of anti -narlysis methods such as the line of construction and breeding time, designed to collect basic information about the infected host and highlight it to the external server to get the next scene.
Although the exact nature of the useful load is incomprehensible, Check Point stated that the discovered Wineloader artifacts, loaded on a viral compilation tag that corresponds to “Appvisvsystems64.dll”.
“With this information and the fact that Grapeloader replaced the rootaw, HTA Downloader, which was used in the past companies to deliver Wineloader, we believe that Grapeloader eventually leads to WineLoader,” the cybersecurity campaign said.
The conclusions come as harfanglab minute Gamredon’s Pterolnk VBScript Sarware, used by a Russian actor threat to infection of all connected USB dispenses with VBScript or PowerShell version of the malicious program. Pterolnk samples were loaded in Virustotal between December 2024 and February 2025 from Ukraine, the main goal of hacking.
“Both tools are repeatedly tried to detect connected USB -Disks when deploying the system to give up LNK files, and in some cases also a copy of Pterolnk noted In September 2024, “clicking on the LNK file, depending on the specific version of Pterolnk, which created it or directly get the next stage from the C2 server, or execute a copy of Pterolnk to download additional useful loads.”
The French cybersecurity firm described the Pterolnk VBScript files as a strong and responsible for the dynamic loader and LNK dropper while performing. While the bootloader is scheduled to be executed every 3 minutes, the LNK dropper scenario is tuned to work every 9 minutes.
The bootloader uses a modular multi -stage structure to get to the remote server and get additional malware. On the other hand, the LNK drop is distributed through local and network disks, replacing existing .pdf, .docx and .xlsx files at the root of the catalog with deceptive counter -access counterparts and hiding original files. These shortcuts when they are launched, designed to launch Pterolnk.
“Scenarios are designed to provide flexibility for its operators, which makes it easy to change parameters such as file names and ways, persistence mechanisms (registry keys and planned tasks) and logic to detect security solutions in the target system,” Harfanglab said.
It is worth noting that the bootloader and a drop LNK refer to the same two useful loads as the hunting team on Symantec, part Broadcom, disclosed Earlier this month as part of the attack chain distributing the updated version of theft Gammasteel –
- Ntuser.dat.tmcontonTainer000000000000001.Regtrans- MS (boot)
- Ntuser.dat.tmcontonTainer0000000000000002.Regtrans- MS (LNK drops)
“Homoredon acts as the most important component of the Cyber -Operations Strategy, especially in its current war with Ukraine,” the company said. “The efficiency of homoredon is not in technical sophistication, but in tactical adaptation.”
“Their Modus Operandi combines aggressive aspiration companies, rapid deployment of heavily embarrassed malware and excessive infrastructure C2. The group prioritizes the operational impact on the stell, showing its DDR for long -standing domains, publicly related to their operations.”
