Actor with a Russian state-propelled danger known as APT29 has been linked to an advanced phishing campaign, targeting diplomatic institutions across Europe, with a new version of Wineloader and a new version with an already unpainted malware loader codnomeder.
In a technical analysis published earlier this week, Czech point said, “While the better Wineloader version is still a modular backdor used in later stages, a newly observed initial-phase tool is used for fingerprints, firmness and payload delivery.”
“Despite the different roles, both code structure shares similarities in the composition and string decryption. Grapelider refines the anti-analysis techniques of the vinlader, starting more advanced stealth methods.”
The use of Wineloader was first documented by Zscler Wardlabz in February 2024, with attacks that take advantage of alcohol-tasting lures to infect diplomatic staff.
While the campaign was earlier attributed to a danger activity cluster called Spicedwin, the subsequent analysis of Google -owned mandient connected to APT29 (aka cozie beer or midnight blimsed) hacking group, which is associated with Russia’s foreign intelligence service (SVR).
The latest set of attacks involves sending emails, which invites the Uninterrupted European Foreign Ministry of External Affairs to the Ministry of Foreign Foreign Foreign Foreign Foreign Foreign Foreign Ministry to click on a link to click on a link that triggers the deployment of graploads through a malware-less zip archive (“Win. JIP”). Email domains were sent from Beckenhof[.]Com and sirery[.]com.
The campaign is said to have mainly focused several European countries a specific focus on the Europers of Foreign Affairs as well as the embassies of other countries in Europe. There are indications that diplomats located in the Middle East can also be targeted.
The zip archive contains three files: a DLL (“appvisvsystems64.dll”) that acts as a dependence to run a valid powerpoint executable (“wine.ax”), which is then shovel for DLL (“PPCOREDLL” to launch DLLLL. Is.
Malware achieves perseverance by modifying the Windows Registry to ensure that “Wine.xA” is launched every time the system is rebooted.
In addition to incorporating anti-inflammatory techniques such as graplider, string obfusation and runTime API resolution, it is designed to collect basic information about infected hosts and exfiltrate it on the outer server to collect basic information about the infected host and reconstruct the next phase shellcode.
Although the exact nature of the payload is not clear, the Czech point stated that it identified the updated Wineloader artifacts, uploaded on the virustotal platform, which matches “Appvisvsubsystems64.DLL with a compilation timestamp.”
“With this information, and the fact that the Grapelider replaced the routes, an HTA downloader used in previous expeditions, used to distribute the witders, we believe that GraPoloder eventually leads to deployment of the vinlader,” the cybercity company said.
Conclusions come as an all -round, which expands the Pterolnk VBSCript malware of the gamerdon, which is used by an actor with a Russian threat to infect all connected USB drives with VBScript or Powershell versions of the malicious program. The samples of Pterolnk were uploaded from the Hacking Group’s primary target, Ukraine to Virustotal between December 2024 and February 2025.
“Both the tools, when deployed on a system, tries to detect repeatedly connected USB drives, so that LNK has a copy of Pterolnk on them, to release files and in some cases,”
The French cyber security firm described the Pterolnk VBSCript files as a downloader and a lnk dropper during execution dynamically and responsible for building dynamics. While the downloader is determined to execute every 3 minutes, the LNK dropper script is configured to run every 9 minutes.
The downloader employs a modular, multi-stage structure to reach a remote server and obtain additional malware. On the other hand, LNK spreads via a dropper, local and network drive, existing .PDF, .docx, and .XLSX files change with misleading shortcut counterparts at the root of the directory and hide the original files. These shortcuts when launching, instead are engineers to run Pterolnk.
“The script is designed to allow flexibility for its operators, which enables easy amendments of parameters such as file names and paths, firm mechanisms (registry key and scheduled functions), and to find out the argument for safety solutions on the target system,” Allfanglab said.
It is worth noting that Downloader and LNK Dopper referred to the same two payloads that the Cementc Thret Hunter Team, Broadcom, came out as part of an attack series earlier this month, which distributes an updated version of Gamstile Steeler –
- Ntuser.dat.tmcontainer00000000000000000000,0001.regtrans-ms (downloader)
- Ntuser.dat.tmcontainer0000000000000000,0002.regtrans-ms (lnk dropper)
“Gamerdon serves as an important component of Russia’s cyber operating strategy, especially in its ongoing war with Ukraine,” the company said. “The effectiveness of gameradon is not in technical sophistication but in strategic adaptability.”
“Their modus operandi combines aggressive speeching campaigns, heavy objective custom malware, and rapid deployment of fruitless C2 infrastructure. Group secretly prefer operating effects, which indicates their DDR to DDRs associated with their previous operations for a long time.”
