A Russian state-sponsored threat actor, known as APT29, has been associated with a sophisticated phishing campaign targeting European diplomatic entities using a new variant of WINELOADER and a previously unidentified malware loader, called GRAPELOADER.

“The enhanced WINELOADER variant remains a modular backdoor used in later stages, whereas GRAPELOADER serves as a novel initial-stage tool for fingerprinting, persistence, and payload delivery,” according to a technical analysis published by Check Point earlier this week.

Both WINELOADER and GRAPELOADER share similarities in code structure, obfuscation, and string decryption, with GRAPELOADER refining WINELOADER’s anti-analysis techniques and introducing more advanced stealth methods.

The use of WINELOADER was first documented by Zscaler ThreatLabz in February 2024, with the attacks using wine-tasting lures to infect the systems of diplomatic staff.

While the campaign was initially attributed to a threat activity cluster named SPIKEDWINE, a subsequent analysis by Google-owned Mandiant connected it to the APT29 (also known as Cozy Bear or Midnight Blizzard) hacking group, affiliated with Russia’s Foreign Intelligence Service (SVR).

The latest attacks involve sending email invitations impersonating a European Ministry of Foreign Affairs to targets, coaxing them into clicking a link that triggers the deployment of GRAPELOADER via a malware-laced ZIP archive (“wine.zip”). The emails were sent from the domains bakenhof[.]com and silry[.]com.

The campaign primarily targets multiple European countries, focusing on Ministries of Foreign Affairs and embassies in Europe, with indications that diplomats based in the Middle East may also have been targeted.

The ZIP archive contains three files: a DLL (“AppvIsvSubsystems64.dll”) that serves as a dependency for running a legitimate PowerPoint executable (“wine.exe”), which is then exploited for DLL side-loading to launch a malicious DLL (“ppcore.dll”). The sideloaded malware functions as a loader (i.e., GRAPELOADER) to drop the main payload.

The malware gains persistence by modifying the Windows Registry to ensure that the “wine.exe” executable is launched every time the system is rebooted.

GRAPELOADER incorporates anti-analysis techniques like string obfuscation and runtime API resolving, and is designed to collect basic information about the infected host and exfiltrate it to an external server to retrieve the next-stage shellcode.

Although the exact nature of the payload is unclear, Check Point identified updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching that of “AppvIsvSubsystems64.dll.”

“With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER,” the cybersecurity company said.

The findings come as HarfangLab detailed Gamaredon’s PteroLNK VBScript malware, used by the Russian threat actor to infect all connected USB drives with VBScript or PowerShell versions of the malicious program.

The PteroLNK samples were uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a primary target of the hacking group.

“Both tools, when deployed on a system, repeatedly attempt to detect connected USB drives, in order to drop LNK files and in some cases also a copy of PteroLNK onto them,” ESET noted in September 2024.

The French cybersecurity firm described PteroLNK VBScript files as heavily obfuscated and responsible for dynamically constructing a downloader and an LNK dropper during execution.

The downloader employs a modular, multi-stage structure to reach out to a remote server and fetch additional malware.

The LNK dropper, on the other hand, propagates through local and network drives, replacing existing .pdf, .docx, and .xlsx files in the root of the directory with deceptive shortcut counterparts and hiding the original files.

“The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms, and detection logic for security solutions on the target system,” HarfangLab said.

It’s worth noting that the downloader and the LNK dropper refer to the same two payloads that the Symantec Threat Hunter team, part of Broadcom, revealed earlier this month as part of an attack chain distributing an updated version of the GammaSteel stealer:

• NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader)
• NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper)

“Gamaredon operates as a critical component of Russia’s cyber operations strategy, particularly in its ongoing war with Ukraine,” the company said.

“Their modus operandi combines aggressive spearphishing campaigns, rapid deployment of heavily obfuscated custom malware, and redundant C2 infrastructure.

“The group prioritizes operational impact over stealth, exemplified by pointing their DDRs to long-standing domains publicly linked to their past operations.”