GRAPELOADER Malware
The Russian state-supported hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a new phishing campaign targeting diplomatic entities across Europe. This campaign employs a reworked version of the WINELOADER Backdoor and a newly discovered malware loader, GRAPELOADER. The attackers use convincing email lures to trick recipients into executing a threatening ZIP archive disguised as an invitation to a wine-tasting event.
Table of Contents
Meet this Malware: GRAPELOADER and WINELOADER
While WINELOADER acts as a modular backdoor in the later stages of infection, GRAPELOADER is the tool of choice for the initial stage. GRAPELOADER handles:
- System fingerprinting
- Persistence via Windows Registry modifications
- Payload delivery to infected hosts
Once the persistence of GRAPELOADER is achieved, the malware enters an endless loop, reaching out to its Command-and-Control (C2) server every 60 seconds. During its initial communication, it gathers key system details such as the UserName, ComputerName, ProcessName and ProcessPID. This information is packaged along with a hardcoded 64-character hexadecimal string—likely serving as a campaign or version identifier—and transmitted to the C2 server through an HTTPS POST request.
Despite their different roles, both tools share similar code structures and employ advanced obfuscation techniques, including string encryption and runtime API resolving. GRAPELOADER is considered a more stealthy successor to ROOTSAW, an older HTA downloader.
Tactical Deception: From Wine-Tasting Lures to Malware Execution
The phishing emails, originating from the domains bakenhof.com and silry.com, impersonate a European Ministry of Foreign Affairs and invite recipients to a fake wine-tasting event. The attached ZIP archive, wine.zip, contains three key files:
- AppvIsvSubsystems64.dll – A dependency used for DLL sideloading
- wine.exe – A legitimate PowerPoint executable exploited to launch malware
- ppcore.dll – The malicious DLL (GRAPELOADER) launched through sideloading
Once executed, the malware ensures persistence by modifying the registry to run wine.exe on every system boot.
A Wider Net: Beyond Europe’s Borders
The campaign primarily targets European Ministries of Foreign Affairs and embassies. However, evidence suggests that diplomatic personnel stationed in the Middle East may also be in the crosshairs. Researchers noted that GRAPELOADER not only exfiltrates system data to an external server but also paves the way for delivering WINELOADER as the primary payload. Updated versions of WINELOADER with matching compilation timestamps have surfaced, further tying the malware family together.
Conclusion: GRAPELOADER’s Role in APT29’s Arsenal
By replacing older tools with GRAPELOADER, APT29 showcases its continuous innovation in cyber espionage. This campaign exemplifies how sophisticated social engineering, coupled with stealthy malware design, remains a potent strategy for infiltrating high-value government targets.
