Skip to content

European diplomats’ wine-tasting invite turns into a malware-laden nightmare

  • by
  • 3 min read

Russian hackers are inviting European diplomats to wine tastings. The threat actor, known as Cozy Bear or APT 29, is sending out fake invitations to seemingly luxurious wine tasting events, except the invitations are malware-laden. The same threat actor was caught using a similar tactic on German politicians in 2024.

Researchers at cybersec firm Check Point Research spotted the campaign and detailed the attack vector in their report. These bogus emails, coming from an unnamed European country’s ministry of foreign affairs, were sent to diplomats across the EU. The hackers also send follow-up emails if a target doesn’t respond.

The message contains a link to download a ZIP archive named wine.zip that contains three files:

  • Wine.exe: A PowerPoint executable that’s used for DLL-sideloading.
  • ppcore.dll: A hidden and heavily obfuscated DLL file whose primary function is to act as a loader. Dubbed Grapeloader, this loader is used to deliver the final malicious payload called Wineloader in later stages of the attack.
  • AppvIsvSubsystems64.dll: Another hidden DLL file that acts as a required dependency for the PowerPoint executable.
Illustration: supimol kumying | shutterstock
Illustration: Supimol Kumying | Shutterstock

Upon execution, Grapeloader copies its contents onto the victim’s storage drive and updates the Windows Registry’s run key to gain persistence. After that, it scans the PC for sensitive information such as usernames and active processes and pings the threat actor’s command-and-control (C2) server every minute, looking for instructions. The researchers believe Grapeloader’s primary function is to fingerprint the target, establish persistence, and deliver Wineloader later to complete the attack.

To avoid detection, the loader also employs several anti-analysis tactics, including string obfuscation, Runtime API resolving, and DLL unhooking. In fact, the entire campaign uses various techniques to evade detection. This includes the payload download triggered only under specific conditions, such as a given time or location. In some cases, the download button even redirects the victim to a legitimate site, seemingly the source of the invitation.

Wineloader, the final malicious payload, has also been updated since its use in the aforementioned 2024 campaign targeting German politicians. This new version is a 64-bit trojanised DLL that can extract data from a target’s machine using RC4 encryption. It also has better evasion methods, deleting signs of its presence from the system memory and using junk code to confuse anti-virus or anti-malware programs.

In the News: MITRE-backed CVE program to lose funding for operations

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of aadhaar uidai featured

UIDAI runs facial identity scan test on NEET UG candidates

Illustration: jmiks | shutterstock

LockBit ransomware gang’s website compromised

This is an image of spyware on pc

Masimo confirms cyberattack affecting operations

This is an image of nso group featured 2

NSO Group ordered to pay $167 million to Meta

This is an image of scam featured 123

Scammers are using mystery boxes to steal your credit card

Photo: patrickassale / shutterstock. Com

Anthropic’s Claude AI exploited to for hundreds of fake political personas

>