Russian cyberespionage group Midnight Blizzard, also known as Cozy Bear or APT29, is behind a new spear-phishing campaign targeting European diplomatic entities. The campaign, which began in January 2025, uses a previously unseen malware loader called GrapeLoader, along with an updated variant of the WineLoader backdoor. The phishing emails, disguised as invitations from a Ministry of Foreign Affairs, contain a malicious link that, if conditions are met, triggers the download of a ZIP file containing the malicious payload. This payload consists of a legitimate PowerPoint executable, a required DLL file, and the GrapeLoader malware.
The GrapeLoader malware is executed through DLL sideloading and establishes persistence by modifying the Windows Registry.
It contacts a command-and-control server to download and execute shellcode in memory. The malware is designed to be stealthy, using techniques such as the ‘PAGE_NOACCESS’ memory protection and a 10-second delay before running the payload to evade detection by antivirus and EDR scanners.
GrapeLoader’s main purpose is to perform reconnaissance and deliver the WineLoader backdoor.
WineLoader, once deployed, acts as a modular backdoor, gathering detailed system information to facilitate espionage operations. The information collected includes system details such as IP addresses, machine names, and process IDs, which help the attackers identify potential sandbox environments and tailor subsequent payloads. The new variant of WineLoader is heavily obfuscated, employing techniques like RVA duplication, export table mismatches, and junk instructions to make reverse engineering more difficult.
Despite being highly targeted and running entirely in memory, the full capabilities of the WineLoader variant remain unclear due to the campaign’s stealthy nature. Researchers were unable to extract the full second-stage payload or any additional plugins used in the attack. Check Point’s findings suggest that APT29’s tactics continue to evolve, becoming more advanced and stealthy, requiring stronger defenses and increased vigilance to prevent these targeted attacks.
About APT29:
Motivation: Information theft and espionage
Associated tools: Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Attack vectors: The group primarily uses campaigns ranging from widespread emails crafted to look like high-volume spam messages, to targeted spear phishing emails addressed to only a few individuals that contain malicious attachments with customized content.
How they work: In some incidents, IRON HEMLOCK appears to have used compromised third-party networks to conduct attacks; for example, reports linked IRON HEMLOCK to the April 2015 breach of an unclassified White House network, and some sources claimed that the initial phishing emails were distributed from U.S. State Department email servers. IRON HEMLOCK also compromised the U.S. Democratic National Committee’s network in 2016.
