Check Point Research (CPR) identified a significant wave of targeted phishing attacks beginning in January 2025. These attacks specifically target government officials and diplomats across Europe, employing sophisticated techniques, tactics, and procedures (TTPs) that closely resemble those associated with a previous phishing campaign called Wineloader, which was previously connected to APT29, a Russia-linked threat actor.
APT29, AKA Midnight Blizzard or Cozy Bear
APT29, known as Midnight Blizzard or Cozy Bear, is recognized for targeting high-profile organizations, including government agencies and think tanks. This group is also linked to the SolarWinds supply chain attack. Its operations range from targeted phishing campaigns to significant supply chain attacks, mostly employing various custom malware.
APT29 Targets European Ministries
In a recent wave of cyber attacks attributed to APT29, threat actors notably impersonated a major European foreign affairs ministry to send misleading emails inviting targets to wine-tasting events. This new phishing campaign, which emerged approximately a year after the last Wineloader campaign, primarily targeted European diplomatic entities, including embassies of non-European countries.
When clicked, the emails contained malicious links that either initiated the download of a backdoor known as Grapeloader or redirected victims to the legitimate website of the impersonated European foreign affairs ministry, creating a facade of legitimacy.
Investigators uncovered the Grapeloader variants sent to specific targets and a new variant of Wineloader. The compilation timestamp of this Wineloader variant and its resemblance to the newly identified Grapeloader suggest that it was likely implemented in a later phase of the attack. This progression illustrates the evolving tactics the attackers employ, showcasing their adaptability in exploiting trusted entities to deploy sophisticated malware against unsuspecting victims.
Phishing Emails
Several emails were sent from two domains, pretending to be from someone in the Ministry of Foreign Affairs. Each email had a malicious link that, when clicked, downloaded a file called wine.zip, which was the next step in the attack. The link's domain matched the sender's domain. Most of these emails were themed around wine tasting events.
Check Point Research identified several emails sent out as part of the campaign, almost all of them with the theme of a wine tasting event:
The server hosting the link is thought to be well-protected against scanning and automated analysis tools. The malicious download is activated only under specific conditions, such as certain times or geographic locations.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
