![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[FREE EBOOKS] Machine Learning Hero, AI-Assisted Programming for Web and Machine Learning & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
APT29 Hackers Employs GRAPELOADER in New Attack Against European Diplomats
A sophisticated phishing campaign by Russian-linked threat group APT29 has been actively targeting European diplomatic entities since January 2025, according to a recent security report. The campaign, believed to be a continuation of previous operations that utilized the WINELOADER backdoor, now employs a new malware loader called GRAPELOADER as its initial infection vector. This modular […] The post APT29 Hackers Employs GRAPELOADER in New Attack Against European Diplomats appeared first on Cyber Security News.
A sophisticated phishing campaign by Russian-linked threat group APT29 has been actively targeting European diplomatic entities since January 2025, according to a recent security report.
The campaign, believed to be a continuation of previous operations that utilized the WINELOADER backdoor, now employs a new malware loader called GRAPELOADER as its initial infection vector.
This modular attack chain demonstrates the group’s evolving tactics and continued focus on high-value diplomatic targets.
The attackers, impersonating a major European Ministry of Foreign Affairs, send phishing emails containing invitations to diplomatic events—primarily wine tasting gatherings.
These emails include malicious links that, when clicked, initiate the download of an archive (wine.zip) containing the GRAPELOADER malware.
The infection chain leverages DLL side-loading techniques to execute the malicious code while evading detection by security solutions.
Check Point researchers identified the campaign through continuous monitoring of APT29 activities, noting the significant similarities between this operation and previous campaigns attributed to the threat actor, also known as Midnight Blizzard or Cozy Bear.
The group has been linked to several high-profile intrusions, including the SolarWinds supply chain attack.
The campaign primarily targets European Ministries of Foreign Affairs and various countries’ embassies located throughout Europe.
In some instances, researchers found evidence of targeting extending to diplomats based in the Middle East, suggesting a broadening of the operation’s scope.
GRAPELOADER infection
The attackers use at least two distinct domains for their operations: bakenhof[.]com and silry[.]com.
GRAPELOADER serves as an initial-stage tool designed for fingerprinting infected environments, establishing persistence, and retrieving next-stage payloads—likely the improved WINELOADER variant also discovered during the investigation.
.webp)
This represents a shift from previous campaigns where an HTA downloader called ROOTSAW was used as the initial infection vector.
The malware’s sophisticated evasion techniques include an elaborate approach to string obfuscation that effectively defeats common analysis tools.
Each string is processed using three unique functions tailored to specific strings: one retrieves the encrypted byte blob, another decrypts it, and a third immediately zeroes out the memory after use.
This method ensures decrypted strings never persist in memory long enough for automated analysis tools to extract them.
GetEncryptedBytes_28(&v2, v3);
apiName_1 = DecryptBytes_0(v3);
GetEncryptedBytes_12(&v4, v5);
dllName_1 = DecryptBytes(v5);
LoadLibraryW = ResolveAPI(dllName_1, apiName_1);
hModule = LoadLibraryW(dllName);
ZeroMem(v5);
ZeroMem_3(v3);GRAPELOADER also implements runtime API resolving and DLL unhooking techniques to bypass security monitoring. Before calling any Windows API functions, it unhooks the corresponding DLL and dynamically resolves the API through in-memory PE parsing.
Additionally, the malware employs an evasion technique when executing shellcode by temporarily marking memory regions as non-accessible during security scans before making them executable for malicious code execution.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post APT29 Hackers Employs GRAPELOADER in New Attack Against European Diplomats appeared first on Cyber Security News.
