APT29 deploys Grapeloader malware targeting diplomats

The Russian state-aligned group APT29 is behind a new malware campaign using a previously undocumented loader called GRAPELOADER, alongside an updated version of WINELOADER. The attacks primarily target European diplomatic entities, as well as some in the Middle East. Threat actors used phishing emails mimicking wine-tasting events, delivered through spoofed domains such as bakenhof[.]com and silry[.]com. Victims received ZIP archives that trigger DLL sideloading through a legitimate PowerPoint executable, granting initial access to compromised systems. GRAPELOADER collects host fingerprinting data, achieves persistence via Registry edits, and fetches additional payloads. According to Check Point researchers, its purpose is to prepare the environment for the deployment of WINELOADER. The campaign employs sandbox evasion and memory injection techniques, indicating a shift toward stealth and modularity. This activity coincides with broader Russian cyber operations, including Gamaredon’s USB-based propagation of PteroLNK malware against Ukrainian targets.

Analysis from our experts


APT29 continues to demonstrate a methodical approach to initial access and lateral movement, favoring staged, multi-component infections with increasing emphasis on stealth. GRAPELOADER reflects a trend toward modular loaders tailored for persistent access and flexibility in payload delivery. The use of spear-phishing via culturally themed events, while not novel, is well-executed in this case, demonstrating that even low-friction entry points remain viable when supported by credible pretext and domain spoofing. The campaign suggests APT29 is refining its malware delivery chain, not reinventing it. This is consistent with the group’s long-term objectives in diplomatic intelligence collection and sustained access operations. While not technically groundbreaking, the operation shows a clear evolution in evasion and staging, aligned with the operational needs of a state-level adversary engaged in strategic intelligence gathering.

Read the full article here.

Stay informed with us!

You can subscribe to our monthly cybersecurity newsletter to receive updates about us and the industry

Blog

Check the latest updates on threats, stories, events and analysis.

Fraudulent sites steal Internet users’ banking data – La Liberté

  • Article

Navigating the Evolving Cyber Threat Landscape: Insights from Verizon’s 2025 DBIR

  • News

Gmail users targeted in credential phishing campaign exploiting Google infrastructure

  • News

More posts

Were you a victim of hackers? Have you experienced a data breach? Call us or write to us.
We know what to do.

+ 41 22 588 65 90 (24/7 hotline)
emergency@zendata.security

While we’re processing your request, there are some things you can do to prevent a disaster.

SELF-HELP GUIDE

Since 2011, we have been supporting businesses, governments, and educational organizations. We’ve partnered with international organisations and law enforcement to provide you with the fastest and most efficient threat response.

Stay up to date with the latest threats, stories, events and analysis, sign up for our monthly cybersecurity newsletter.

Offices

Geneva

Rte de Frontenex, 62Bis,

1207, Geneva

Switzerland

Bahrain

Office 1201,

Almoayyed TowerAI, Seef,

Bahrain

Abu Dhabi

Office 603, Centro Capital Center,

Abu Dhabi Exhibition Center,

Khaleej Al Arabi St, Abu Dhabi,

UAE

Dubai

Building Montana,

D84 Zaa’beel Street, Dubai,

UAE

Singapore

90 EU Tong Sen Street

#03-02B, Singapore, 059811

Singapore

Legal

Privacy Policy

Social Media

Downloads

Emergency self-help guide

DEFCON: Switzerland

© Copyright ZENDATA CYBERSECURITY