Starting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at European governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with the WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group.
APT29, also commonly referred to as Midnight Blizzard or Cozy Bear, is known for targeting high-profile organizations, including government agencies and think tanks. Their operations vary from targeted phishing campaigns to high-profile supply chain attacks that utilize a large array of both custom and commercial malware. The threat group is also associated with the SolarWinds supply chain attack.
In this current wave of attacks, the threat actors impersonate a major European Ministry of Foreign Affairs to send out invitations to wine tasting events, prompting targets to click a web link leading to the deployment of a new backdoor called GRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.
In addition to GRAPELOADER, we discovered a new variant of WINELOADER active in this campaign. The compilation timestamp, as well as the similarity to the newly discovered GRAPELOADER suggests it was likely used in a later phase of the attack.
Approximately one year after the last iteration of the WINELOADER campaign, APT29 launched a new wave of phishing emails impersonating a European Ministry of Foreign Affairs, sending emails on their behalf with an invitation to wine tasting events. The emails contained a malicious link that led, in some cases, to the download of an archive, eventually leading to the deployment of GRAPELOADER. In other cases, the link in the phishing emails redirects to the official website of the impersonated Ministry of Foreign Affairs.
Throughout the campaign, the targets include multiple European countries with a specific focus on Ministries of Foreign Affairs, as well as other countries’ embassies in Europe. In addition to the emails we’ve identified, we found indications of limited targeting outside of Europe, including of diplomats based in the Middle East.
These identified emails were sent from at least two distinct domains, `bakenhof[.]com` and `silry[.]com`, with the sender’s address impersonating a specific person in the mimicked Ministry of Foreign Affairs. Each email contained a malicious link that, when clicked, initiated the download of `wine.zip` for the next stage of the attack. The domain hosting the link was the same domain used for sending the email. In cases where the initial attempt was unsuccessful, additional waves of emails were sent to increase the likelihood of getting the victim to click the link and compromise his machine.
We identified several emails sent as part of the campaign, almost all of them with the theme of wine-tasting events:
The server hosting the link is believed to be highly protected against scanning and automated analysis solutions, with the malicious download triggered only under certain conditions, such as specific times or geographic locations. When accessed directly, the link redirects to the official website of the impersonated Ministry of Foreign Affairs.
The `wine.zip` archive contains three files :
`wine.exe, which is exploited for DLL side-loading.` `AppvIsvSubsystems64.dll, which is bloated with junk code, serving only as a required dependency for the PowerPoint executable to run.` `ppcore.dll, that functions as a loader, called GRAPELOADER, as it is likely used to deliver WINELOADER in later phases of the attack.`
Once `wine.exe` is executed and the GRAPELOADER DLL is side-loaded, the malware copies the contents of the `wine.zip` archive to a new location on the disk. It then gains persistence by modifying the Windows registry’s Run key, ensuring that `wine.exe` is executed automatically every time the system reboots.
Next, GRAPELOADER collects basic information about the infected host, such as the host name and username. This collected data is then sent to the Command and Control (C2) server, where it waits for the next-stage shellcode to be delivered.
In addition, in proximity to GRAPELOADER phishing emails, a new variant of the WINELOADER was submitted to VirusTotal. The newly discovered variant shares the same Rich-PE headers and a compilation timestamp closely matching that of `AppvIsvSubsystems64.dll`, suggesting they were likely part of the same attack flow. With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER.
**WINELOADER** is a well-known modular backdoor that is part of the APT29 toolset, but **GRAPELOADER** is a newly observed tool designed for the initial stage of an attack. It is primarily used for fingerprinting the infected environment, establishing persistence, and retrieving the next-stage payload. Despite their differences in purpose, a closer analysis reveals that the new WINELOADER variant and the GRAPELOADER share many similarities, particularly in code structure, obfuscation techniques, and string decryption processing.
A comparison of older and newer WINELOADER versions suggests that this backdoor has continued to evolve, not only preserving its core capabilities but also refining techniques from its earlier iterations. GRAPELOADER not only incorporates and enhances some of these advanced techniques, such as DLL unhooking, API resolving, code obfuscation, and string obfuscation, but also introduces entirely new methods to further improve its stealth and effectiveness.
GRAPELOADER is delivered as a 64-bit DLL ( `ppcore.dll`) with two exported functions: `PPMain` and `DllGetLCID`. While `DllGetLCID` contains only mutated junk code(valid instructions that result in time-consuming mathematical operations within large loops), its primary purpose appears to be code bloating. A similar technique is used in `AppvIsvSubsystems64.dll`, which serves solely as a required dependency for the PowerPoint executable ( `wine.exe`) to run. The `PPMain` function actually triggers the malicious execution.
This DLL is executed via **DLL side-loading** through **Delayed Imports** of `wine.exe`, functioning as an initial-stage downloader. As execution occurs through the exported `PPMain` function rather than `DllEntryPoint`, it does not operate under the loader lock.
**Anti-Analysis Techniques**
Throughout its code, GRAPELOADER employs several anti-analysis techniques, including:
**Persistence Mechanism**
Malicious execution begins by setting up **persistence**, but only if the process’s **current working directory** is **not** `C:WindowsSystem32`. This check prevents persistence from being established when executed via tools like `rundll32.exe`, though the malware is still executed. If persistence is required, GRAPELOADER:
`wine (2).zipto` `C:UsersUserAppDataLocalPOWERPNT.` `SOFTWAREMicrosoftWindowsCurrentVersionRunwith the entry` `POWERPNT, pointing to` `C:UsersUserAppDataLocalPOWERPNTwine.exe.`
**C2 Communication**
After establishing persistence, the malicious code enters an infinite loop, polling its **C2 server** every **60 seconds**. Initially, it collects information on the environment, including: `UserName`, `ComputerName`, `ProcessName`, and `ProcessPID`. Together with the **hardcoded 64-character hexadecimal string** `e55c854d77279ed516579b91315783edd776ac0ff81ea4cc5b2b0811cf40aa63` (believed to function as a **campaign/version tag**) the collected data are structured like this:
“`
struct CollectedEnvironmentInfo { BYTE UserName[512]; BYTE ComputerName[512]; BYTE ProcessName[512]; DWORD ProcessPID; BYTE HardcodedHexString[64]; DWORD GenRandNumFromSystemTime; };
“`
This structure is sent via an **HTTPS POST** request to the C2 server `https[:]//ophibre[.]com/blog.php` using the **User-Agent** string `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36`.
**Shellcode Execution & Evasion Technique**
Only after receiving data from the C2 server does GRAPELOADER proceed with further execution. The payload is expected to be a **non-encrypted**, **memory-independent shellcode**, which is executed entirely in-memory without being written to disk.
To evade **memory scanning** of AV/EDR solutions, GRAPELOADER implements a well-known technique:
`PAGE_READWRITEprotection.` `PAGE_NOACCESSusing the` `NtProtectVirtualMemory.` `CreateThread` `lpStartAddresspointing to the beginning of the non-accessible memory region.` `Sleep` `PAGE_EXECUTE_READWRITEusing` `NtProtectVirtualMemory.` `ResumeThread`
As this campaign is **highly targeted**, using `CollectedEnvironmentInfo` to fingerprint infected machines, and because the execution of the next-stage payload leaves no **persistent** traces, we were unable to retrieve the next-stage shellcode.
The new WINELOADER variant ( `vmtools.dll`) is a 64-bit trojanized DLL with **964** exported functions, but only one of them serves as the intended entry point for malicious execution. Interestingly, the **Export Directory** exhibits RVA duplicity: each pair of exported functions shares the same RVA. This means that the DLL really contains “only” **482 unique** exports.
Another notable characteristic is the “ **RWX**” (Read-Write-Execute) flag on the `.text` section. This is a strong indication of self-modifying code, which is typically part of the unpacking process.
The DLL’s name, `vmtools.dll`, along with its exported function names, suggests that it was designed to be deployed alongside a benign, vulnerable executable, leveraging **DLL side-loading** to execute malicious code.
While we could not acquire the exact main module used to load this DLL, our research quickly revealed that a similar library (same DLL name + exports) is frequently used by executables that are part of the VMWare Tools installer.
However, finding the correct version of the vulnerable module was a challenge. Because this DLL is trojanized, most of the exported functions contained garbage instructions, making it difficult to identify the intended function before the loader triggers one of the broken exports. The process was akin to finding a needle in a haystack.
To bypass this issue, we opted for an **emulation approach**, systematically **brute-forcing** all exported functions while monitoring for **behavioral anomalies**. This strategy quickly led us to the intended function, `Str_Wcscpy`, which initiates malicious execution.
**WINELOADER Unpacking**
A deeper analysis of `Str_Wcscpy` confirmed that it serves as an unpacking routine, similar to the one observed in previous WINELOADER versions.
As in earlier versions, the **core module** is unpacked via **RC4 decryption**, using a **hardcoded 256-byte key** (see **Appendix A**). The same RC4 key and algorithm are also used for string decryption and C2 communication.
**C2 Communication**
After unpacking, the core module of WINELOADER gathers information on the environment from the infected machine, including: `IPAddress`, `ProcessName`, `UserName`, `ComputerName`, `ProcessPID`, `ProcessToken`, and structures the the data like this:
“`
struct CollectedEnvironmentInfo { WORD PaddingLength; BYTE PaddingBytes[PaddingLength]; QWORD PossibleCampaignID; QWORD PossibleSessionID; BYTE IPAddress[14]; BYTE ProcessName[512]; BYTE UserName[512]; BYTE ComputerName[30]; DWORD ProcessPID; BYTE ProcessTokenElevationType; QWORD PollingInterval; BYTE RequestType; QWORD MessageLength; QWORD Unknown; QWORD PossibleModuleID; BYTE Message[MessageLength]; };
“`
This structure is **almost identical** to the one seen in previous WINELOADER versions. Initially, this data is **RC4-encrypted** with the embedded hardcoded key (see **Appendix A**) before being transmitted via an **HTTPS GET** request to the C2 server `https[:]//bravecup[.]com/view.php` using the **User-Agent** string `Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.2151.25 Safari/537.36 Edg/119.0.2151.25`.
One highly **unusual** aspect is the **User-Agent** string, which claims to be from **Windows 7** running **Microsoft Edge (v119.0.2151.25)**; this is a version that **should not normally exist** on this OS. This anomaly serves as a strong network indicator of compromise (IoC).
**Evolving Anti-Analysis Techniques**
The older WINELOADER version relied on **function inlining** for string decryption and did **not** strictly enforce immediate **memory cleanup**, instead reusing local variables. In contrast, the new variant takes a different approach, **similar to GRAPELOADER** (suggesting **codebase overlaps** or **shared development tactics**). Each string is processed through three distinct functions: one retrieves the encrypted byte blob, another one decrypts it using the RC4 algorithm, and the last function immediately zeroes out the decrypted memory after use.
Figure 9 – WINELOADER C2 communication string decryption: new vs. old version.
Previously, automated tools like FLOSS could easily extract and deobfuscate strings from an **unpacked** WINELOADER sample. The improved implementation in the new variant disrupts this process, making automated string extraction and deobfuscation fail.
Figure 10 – WINELOADER FLOSS string deobfuscation: old vs. new (unpacked samples).
Beyond string obfuscation, the new WINELOADER variant improves additional anti-analysis techniques, including code mutation, junk instruction insertion, and structural obfuscation. While these changes hinder static analysis, the core malware functionality and network C2 communication remain largely unchanged from previous versions.
The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024. In that earlier attack, APT29 also initiated the campaign with a phishing email disguised as an invitation to a wine-tasting event, that time impersonating an Indian Ambassador.
While some modifications were made to the infection chain in this latest campaign, such as the introduction of GRAPELOADER as the initial stager instead of ROOTSAW (an HTA downloader used previously), the core execution method, employing DLL side-loading and a persistence technique, remained largely unchanged.
In addtion, as we show in this report, GRAPELOADER shares significant similarities with WINELOADER, a malware well attributed to APT29. This includes alignment in the compilation environment (Rich-PE), matching compilation timestamps, and code similarity such as the string encryption mechanism.
In this report we provide an in-depth analysis of a new wave of targeted phishing attacks aimed at government and diplomatic entities in Europe. These attacks are linked to the Russian linked APT29 (also known as Midnight Blizzard or Cozy Bear). The attackers impersonate the Ministry of Foreign Affairs of a European country, sending fake wine-tasting invitations to deploy a new malware called GRAPELOADER. This tool serves as an initial-stage mechanism for fingerprinting, persistence, and payload delivery.
In addition, we also identified a new variant of the previously known WINELOADER malware. Changes in the new variant primarily include evolved stealth and evasion techniques, which further complicate detection efforts. Due to the links we uncovered between GRAPELOADER and WINELOADER, this suggests that WINELOADER is likely delivered in later stages of the attack.
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, filetypes, and operating systems and protect against the attacks and threats described in this report.
**Harmony Endpoint – Anti-Bot**
The full 256-byte RC4 key embedded inside WINELOADER and used for string decryption, unpacking its core module, and encrypting/decrypting information exchanged between the malware and the C2 server.
“`
6b67857ca8a21f6dcb30f855b320140b3ab1c7be4a1615a27bc63cba86412e43b7cbcb9135c91b3c1892bd12934b19f5698ca3695363f58a3fc53abdbc8188a1645278d0f5a568a33c1178cfe03cc942c45bf6b0e133df55475ef4385291ed2d8535aeaecd17ccb965417ac5fd622eaaa9a8ab72599f35dfe859b434a889af1e7d99c8204226737a487965bf0e6591cfcd2d70552ac37916eea90a227dda5f7e75285e682277c3751fb97ab6f023636dd090da79c5827410bfc6b020f6dc8937115b9b7291a28c67c745a188684f72b70dee97af82da581884c13e1200091d938eaf12523f4019d2dbddb5ae7e92d0730db71e441d8edb64df173ac7b96f6add
“`