Cozy Bear Returns: European Embassies Targeted with New Malware Tools

Summary

CRIL came across a blog published by Check Point Research detailing a sophisticated phishing campaign linked to the Russian threat group APT29 (also known as Midnight Blizzard or Cozy Bear). This campaign, active since January 2025, targets European diplomatic entities and foreign embassies by impersonating a European Ministry of Foreign Affairs. The attackers send phishing emails with fake invitations to diplomatic wine-tasting events, prompting victims to click a malicious link that downloads a file named wine.zip. This file contains a new malware loader dubbed GRAPELOADER, which initiates the infection chain.

GRAPELOADER is a stealthy, first-stage loader used for system fingerprinting, persistence, and delivering additional payloads. It exploits a legitimate PowerPoint executable via DLL side-loading and is designed with advanced obfuscation and anti-analysis techniques. Once active, GRAPELOADER sends system information back to a command-and-control server and prepares for the deployment of a newly discovered variant of WINELOADER—a modular backdoor used in later attack stages. The new WINELOADER version shares several technical traits with GRAPELOADER, indicating they’re part of the same campaign and highlighting APT29's continued refinement of their espionage toolkit.

Technical Details

GRAPELOADER and the newer variant of WINELOADER are both malware tools linked to APT29, a sophisticated threat group. While WINELOADER serves as a modular backdoor, GRAPELOADER functions as an initial-stage loader designed to profile systems, maintain persistence, and deliver further payloads. Despite different roles, both tools share several technical similarities such as code structure, obfuscation techniques, and how they decrypt strings.

GRAPELOADER

GRAPELOADER is delivered as a 64-bit DLL named ppcore.dll with two exports: PPMain (used to execute the payload) and DllGetLCID (filled with useless but valid code to bloat the file). The DLL is loaded via side-loading into wine.exe using Delayed Imports, allowing it to bypass certain detection mechanisms by avoiding execution under the standard loader lock.

Anti-Analysis Techniques

The malware uses several tricks to avoid analysis:

• String obfuscation: Each string is encrypted uniquely, then decrypted in memory just before use and erased immediately, making it difficult for tools like FLOSS to extract them.

• API resolution and DLL unhooking: Before calling Windows APIs, it unhooks system DLLs and dynamically resolves function addresses in memory to avoid detection and monitoring.

Persistence Mechanism

GRAPELOADER only sets up persistence if it's not running from C:\Windows\System32. If eligible, it

copies itself to C:\Users\User\AppData\Local\POWERPNT\, then creates a registry entry under

SOFTWARE\Microsoft\Windows\CurrentVersion\Run to launch at startup via wine.exe.

Command and Control (C&C) Communication

Once active, the loader enters a loop, contacting its C2 server (https[:]//ophibre[.]com/blog.php) every 60 seconds using an HTTPS POST request. It collects and sends system data (e.g., username, computer name, process ID) alongside a hardcoded campaign identifier.

Shellcode Execution and Evasion

Upon receiving a payload from the server, GRAPELOADER executes it entirely in memory to avoid writing to disk. It uses a clever memory protection trick: first, it allocates memory as readable and writable, then makes it inaccessible to evade AV scanning, and finally, it switches to executable mode just before running the code.

WINELOADER

The latest WINELOADER version comes as vmtools.dll, a 64-bit trojanized DLL with 964 exports, but only 482 are unique due to duplicate addresses. One key export, Str_Wcscpy, begins the malicious execution process and acts as an unpacking routine.

The DLL's .text section is marked with Read-Write-Execute (RWX) permissions, suggesting it modifies its own code during execution — a common sign of unpacking or anti-analysis behavior. This DLL appears designed for DLL side-loading alongside legitimate software like VMware Tools.

Unpacking and Communication

The unpacking process uses RC4 decryption with a hardcoded 256-byte key. This same method is used for string decoding and network communications. Once unpacked, the malware collects detailed system info (like IP address, process token, and session IDs) and sends it to its C2 server: https[:]//bravecup[.]com/view.php using an unusual User-Agent string (suggesting Windows 7 with a non-existent Edge version) — a good indicator of compromise.

Improved Obfuscation and Evasion

Compared to earlier versions, this WINELOADER variant introduces stronger anti-analysis techniques. Like GRAPELOADER, it now uses a three-step process to handle strings: retrieval, decryption with RC4, and immediate memory cleanup. This prevents tools like FLOSS from extracting strings, even from unpacked samples. It also includes more advanced code obfuscation through junk instructions, code mutation, and structural changes, which make static analysis more difficult. Despite these changes, the malware's main capabilities and communication patterns remain consistent with previous versions.

Recommendations

• Implement advanced email filtering and phishing detection mechanisms. Regularly train staff to recognize and report suspicious emails, especially those with enticing or unusual invitations.

• Use endpoint detection tools to monitor processes that load unexpected or unsigned DLLs. Pay close attention to known side-loading vectors such as wine.exe or vmtools.dll.

• Deploy solutions that can identify unusual process behaviors, such as runtime API resolution, DLL unhooking, or memory protection changes commonly used in in-memory execution techniques.

• Restrict user and application permissions to the minimum necessary. Segment networks to limit attackers' lateral movement in case of a breach.

Conclusion

This campaign highlights APT29’s continued focus on targeting European government and diplomatic entities through sophisticated phishing lures. The use of GRAPELOADER as an initial stage tool enables stealthy environment profiling and delivery of follow-on payloads. The emergence of an evolved WINELOADER variant further demonstrates the group’s investment in evasion and persistence. The technical overlap between the two tools strongly suggests a coordinated, multi-stage attack chain.