Russian-backed hacking group Midnight Blizzard (also known as APT29 or Cozy Bear) is behind a spear-phishing campaign targeting European diplomatic missions with a new malware loader called GrapeLoader.
The attack starts with a fake email invitation to a wine-tasting event, which, if recipients meet certain conditions, delivers a malicious ZIP file containing a weaponized PowerPoint executable and a trojanized DLL.
Through DLL sideloading, GrapeLoader is deployed to gather system info, establish persistence, and load shellcode directly into memory while evading detection.
This loader replaces the older RootSaw tool and is engineered for stealth, employing memory protection tricks and delays to slip past antivirus systems.
It then delivers WineLoader, a modular backdoor that collects sensitive system details and evaluates targets for further compromise, all while using heavy obfuscation to resist analysis.
Check Point’s analysis highlights how APT29 continues to evolve its methods, making detection and response increasingly difficult for defenders.
Read more...