A Sneaky Cyber Trick Disguised as a Friendly Invitation
A Russian-linked hacker group called APT29 has launched a new cyberattack targeting diplomats across Europe. These hackers are very experienced and have ties to Russia’s foreign intelligence service. This time, their attack comes in the form of a clever disguise an invitation to a fancy wine tasting event.
In this phishing campaign, the hackers pretend to be from a European government and send out fake emails. These emails look like they are from an embassy or ministry, and they invite people to attend a wine event. But the goal isn’t to pour a glass of red—it’s to trick recipients into clicking on a link. That link leads them to download a file called wine.zip, which hides dangerous malware.
Inside that ZIP file are three parts: a file named wine.exe, and two hidden files that are actually .dll files (special computer files used by programs to run). One of these files is named ppcore.dll, and this is where the real trouble begins. It contains a brand-new malware tool that security experts are calling GRAPELOADER.
What GRAPELOADER Does Inside a Computer
Once the victim opens the wine.exe file, it secretly loads the GRAPELOADER malware into their computer. It doesn’t make any noise or show any pop-ups it runs silently in the background. The hackers use a technique called DLL side-loading, where the dangerous part of the program is hidden inside a file that looks like it belongs to a trusted program like PowerPoint. This tricks the computer into thinking everything is safe.
As soon as GRAPELOADER is loaded, it starts gathering information. It collects the computer’s name, the user’s name, and what programs are running. Then it sends all this information to the hackers over the internet. Every 60 seconds, it checks back with the hackers’ server to see if there are any new instructions.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
GRAPELOADER also sets itself up to stay on the computer even after it’s been restarted. It copies itself to a new spot on the computer and makes sure it automatically runs whenever the system is turned back on. This kind of setup allows the hackers to keep control over the machine for as long as they want.
The malware is also smart. It knows how to hide from antivirus software and how to make it hard for cybersecurity experts to understand how it works. This makes it especially dangerous, because it can stick around for a long time without being noticed.
A Familiar Pattern With a New Twist
This isn’t the first time APT29 has used wine-themed phishing scams. Just a year ago, they ran a similar campaign, again sending fake wine event invitations—only that time they pretended to be an ambassador from India. These consistent patterns help experts track the group, even as they change up their tools.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
In previous attacks, APT29 used a tool called ROOTSAW to start the infection. This year, they switched to the new GRAPELOADER malware. After GRAPELOADER sets up the system, it can bring in another dangerous tool called WINELOADER, which the hackers have used before. WINELOADER is like the second part of the attack and gives hackers deeper access to the computer.
Security researchers recently found a newer version of WINELOADER that had been uploaded online. It was hidden inside a file called vmtools.dll, which usually belongs to a safe program called VMware Tools. This shows that the hackers are continuing to use known tricks like DLL side-loading, where fake files pretend to be part of real, trusted programs.
