Carder.life - Midnight Blizzard deploys new GrapeLoader malware in embassy phishing

<div id="post_message_785968">

Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.<br/>
<br/>
Midnight Blizzard, aka 'Cozy Bear' or 'APT29,' is a state-sponsored cyberespionage group linked to Russia's Foreign Intelligence Service (SVR).<br/>
<br/>
According to Check Point Research, the new campaign introduces a previously unseen malware loader called 'GrapeLoader,' and a new variant of the 'WineLoader' backdoor.<br/>
<br/>
<b><font size="4">A pour of malware</font></b><br/>
<br/>
The phishing campaign started in January 2025 and begins with an email spoofing a Ministry of Foreign Affairs, sent from 'bakenhof[.]com' or 'silry[.]com,' inviting the recipient to a wine-tasting event.<br/>
<br/>
The email contains a malicious link that, if the victim targeting conditions are met, triggers the download of a ZIP archive (wine.zip). If not, it redirects victims to the legitimate Ministry website.<br/>
<br/>
The archive contains a legitimate PowerPoint executable (wine.exe), a legitimate DLL file required for the program to run, and the malicious GrapeLoader payload (ppcore.dll).<br/>
<br/>
The malware loader is executed via DLL sideloading, which collects host info, establishes persistence via Windows Registry modification, and contacts the command-and-control (C2) to receive the shellcode it loads in memory.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/grapeloader.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">

<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

GrapeLoader execution chain

</td>
</tr>
</table>
</div>GrapeLoader likely replaces the previously used first-stage HTA loader 'RootSaw,' being stealthier and more sophisticated.<br/>
<br/>
Check Point highlights its use of 'PAGE_NOACCESS' memory protections and 10-second delay before running shellcode via 'ResumeThread' to hide malicious payload execution from antivirus and EDR scanners.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/noaccess.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">

<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Stealthy in-memory payload execution

</td>
</tr>
</table>
</div>GrapeLoader's main tasks in this campaign are stealthy reconnaissance and delivery of WineLoader, which arrives as a trojanized VMware Tools DLL file.<br/>
<br/>
<b><font size="4">A full-bodied backdoor</font></b><br/>
<br/>
WineLoader is a modular backdoor that gathers detailed host information and facilitates espionage operations.<br/>
<br/>
The collected data includes: IP addresses, name of the process it runs on, Windows user name, Windows machine name, Process ID, and privilege level.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/data-structure.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">

<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Stolen host data structure

</td>
</tr>
</table>
</div>This information can help identify sandbox environments and evaluate the target for dropping follow-up payloads.<br/>
<br/>
The new variant spotted in the latest APT29 campaign is heavily obfuscated using RVA duplication, export table mismatches, and junk instructions to make it harder to reverse engineer.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/unpacking.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">

<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Unpacking routine comparison

</td>
</tr>
</table>
</div>Check Point notes that string obfuscation in the new WineLoader variant plays a key anti-analysis role, having significantly evolved compared to older versions.<br/>
<br/>
"Previously, automated tools like FLOSS could easily extract and deobfuscate strings from an unpacked WINELOADER sample," <a href="https://research.checkpoint.com/2025/apt29-phishing-campaign/" target="_blank">explain the researchers</a>.<br/>
<br/>
"The improved implementation in the new variant disrupts this process, making automated string extraction and deobfuscation fail."<br/>
<br/>
Due to the campaign being highly targeted and the malware running entirely in memory, Check Point was unable to retrieve WineLoader's full second-stage payload or additional plugins, so the full spectrum of its capabilities or tailored nature per victim remains blurry.<br/>
<br/>
Check Point's findings show that <a href="https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/" target="_blank">APT29's</a> tactics and toolset evolve, getting stealthier and more advanced, requiring multi-layered defenses and heightened vigilance to detect and stop.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/midnight-blizzard-deploys-new-grapeloader-malware-in-embassy-phishing/" target="_blank">@ BleepingComputer </a>
</div>