{ "id": "55fbca5b-26d7-428a-bd4e-c5cce1c64cdb", "created_at": "2026-04-06T00:16:44.484214Z", "updated_at": "2026-04-10T03:37:33.414742Z", "deleted_at": null, "sha1_hash": "7e5356f777de262b7a964844109f65a929b7bf5b", "title": "Renewed APT29 Phishing Campaign Against European Diplomats - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 112203, "plain_text": "Renewed APT29 Phishing Campaign Against European Diplomats -\r\nCheck Point Research\r\nBy samanthar@checkpoint.com\r\nPublished: 2025-04-15 · Archived: 2026-04-05 19:43:31 UTC\r\nHighlights\r\nCheck Point Research has been tracking an advanced phishing campaign conducted by APT29, a Russia linked threat\r\ngroup, which is targeting diplomatic entities across Europe.\r\nThe campaign, which appears to be a continuation of a previous one that utilized a backdoor known\r\nas WINELOADER, impersonates a major European foreign affairs ministry to distribute fake invitations to\r\ndiplomatic events—most commonly, wine tasting events.\r\nThis campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing\r\nemail. In addition, we discovered a new variant of WINELOADER which is likely used in later stages of the\r\ncampaign.\r\nWhile the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a\r\nnewly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Despite differing roles,\r\nboth share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines\r\nWINELOADER’s anti-analysis techniques while introducing more advanced stealth methods.\r\nIntroduction\r\nStarting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at\r\nEuropean governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with\r\nthe WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group.\r\nAPT29, also commonly referred to as Midnight Blizzard or Cozy Bear, is known for targeting high-profile organizations,\r\nincluding government agencies and think tanks. Their operations vary from targeted phishing campaigns to high-profile\r\nsupply chain attacks that utilize a large array of both custom and commercial malware. The threat group is\r\nalso associated with the SolarWinds supply chain attack.\r\nIn this current wave of attacks, the threat actors impersonate a major European Ministry of Foreign Affairs to send out\r\ninvitations to wine tasting events, prompting targets to click a web link leading to the deployment of a new backdoor called\r\nGRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European\r\ncountries’ embassies located in Europe.\r\nIn addition to GRAPELOADER, we discovered a new variant of WINELOADER active in this campaign. The compilation\r\ntimestamp, as well as the similarity to the newly discovered GRAPELOADER suggests it was likely used in a later phase of\r\nthe attack.\r\nCampaign Overview\r\nApproximately one year after the last iteration of the WINELOADER campaign, APT29 launched a new wave of phishing\r\nemails impersonating a European Ministry of Foreign Affairs, sending emails on their behalf with an invitation to wine\r\ntasting events. The emails contained a malicious link that led, in some cases, to the download of an archive, eventually\r\nleading to the deployment of GRAPELOADER. In other cases, the link in the phishing emails redirects to the official\r\nwebsite of the impersonated Ministry of Foreign Affairs.\r\nFigure 1 – High-level overview of GRAPELOADER infections.\r\nThroughout the campaign, the targets include multiple European countries with a specific focus on Ministries of Foreign\r\nAffairs, as well as other countries’ embassies in Europe. In addition to the emails we’ve identified, we found indications of\r\nlimited targeting outside of Europe, including of diplomats based in the Middle East.\r\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nPage 1 of 7\n\nPhishing Emails\r\nThese identified emails were sent from at least two distinct domains, bakenhof[.]com and silry[.]com , with the sender’s\r\naddress impersonating a specific person in the mimicked Ministry of Foreign Affairs. Each email contained a malicious link\r\nthat, when clicked, initiated the download of  wine.zip  for the next stage of the attack. The domain hosting the link was the\r\nsame domain used for sending the email. In cases where the initial attempt was unsuccessful, additional waves of emails\r\nwere sent to increase the likelihood of getting the victim to click the link and compromise his machine.\r\nWe identified several emails sent as part of the campaign, almost all of them with the theme of wine-tasting events:\r\nEmail subjects\r\nWine Event\r\nWine Testing Event\r\nWine tasting event (update date)\r\nFor Ambassador’s Calendar\r\nDiplomatic dinner\r\nThe server hosting the link is believed to be highly protected against scanning and automated analysis solutions, with the\r\nmalicious download triggered only under certain conditions, such as specific times or geographic locations. When accessed\r\ndirectly, the link redirects to the official website of the impersonated Ministry of Foreign Affairs.\r\nGRAPELOADER Infection\r\nThe  wine.zip  archive contains three files :\r\nA legitimate PowerPoint executable,  wine.exe , which is exploited for DLL side-loading.\r\nA hidden DLL,  AppvIsvSubsystems64.dll , which is bloated with junk code, serving only as a required dependency\r\nfor the PowerPoint executable to run.\r\nAnother hidden and heavily obfuscated DLL,  ppcore.dll , that functions as a loader, called GRAPELOADER, as it\r\nis likely used to deliver WINELOADER in later phases of the attack.\r\nOnce  wine.exe  is executed and the GRAPELOADER DLL is side-loaded, the malware copies the contents of\r\nthe  wine.zip  archive to a new location on the disk. It then gains persistence by modifying the Windows registry’s Run key,\r\nensuring that  wine.exe  is executed automatically every time the system reboots.\r\nNext, GRAPELOADER collects basic information about the infected host, such as the host name and username. This\r\ncollected data is then sent to the Command and Control (C2) server, where it waits for the next-stage shellcode to be\r\ndelivered.\r\nNew WINELOADER Variant\r\nIn addition, in proximity to GRAPELOADER phishing emails, a new variant of the WINELOADER was submitted to\r\nVirusTotal. The newly discovered variant shares the same Rich-PE headers and a compilation timestamp closely matching\r\nthat of  AppvIsvSubsystems64.dll , suggesting they were likely part of the same attack flow. With this information, and the\r\nfact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER,\r\nwe believe that GRAPELOADER ultimately leads to the deployment of WINELOADER.\r\nTechnical Analysis\r\nWINELOADER is a well-known modular backdoor that is part of the APT29 toolset, but GRAPELOADER is a newly\r\nobserved tool designed for the initial stage of an attack. It is primarily used for fingerprinting the infected environment,\r\nestablishing persistence, and retrieving the next-stage payload. Despite their differences in purpose, a closer analysis reveals\r\nthat the new WINELOADER variant and the GRAPELOADER share many similarities, particularly in code structure,\r\nobfuscation techniques, and string decryption processing.\r\nA comparison of older and newer WINELOADER versions suggests that this backdoor has continued to evolve, not only\r\npreserving its core capabilities but also refining techniques from its earlier iterations. GRAPELOADER not only\r\nincorporates and enhances some of these advanced techniques, such as DLL unhooking, API resolving, code obfuscation,\r\nand string obfuscation, but also introduces entirely new methods to further improve its stealth and effectiveness.\r\nGRAPELOADER\r\nGRAPELOADER is delivered as a 64-bit DLL ( ppcore.dll ) with two exported functions:  PPMain  and  DllGetLCID .\r\nWhile  DllGetLCID  contains only mutated junk code(valid instructions that result in time-consuming mathematical\r\noperations within large loops), its primary purpose appears to be code bloating. A similar technique is used\r\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nPage 2 of 7\n\nin AppvIsvSubsystems64.dll , which serves solely as a required dependency for the PowerPoint executable ( wine.exe ) to\nrun. The PPMain function actually triggers the malicious execution.\nThis DLL is executed via DLL side-loading through Delayed Imports of wine.exe , functioning as an initial-stage\ndownloader. As execution occurs through the exported PPMain function rather than DllEntryPoint , it does not operate\nunder the loader lock.\nAnti-Analysis Techniques\nThroughout its code, GRAPELOADER employs several anti-analysis techniques, including:\nString obfuscation – Each string is processed using three unique functions, tailored to work on a specific string. The\nfirst retrieves the encrypted byte blob, the second decrypts the blob using a custom algorithm, and the third\nimmediately zeroes out the decrypted memory blob after use. This approach successfully defeats common automatic\nstring extraction and deobfuscation tools like FLOSS by ensuring that decrypted strings never persist in memory long\nenough for automated analysis. In addition, as each string has unique processing methods, pattern-based heuristics\nstruggle to reliably detect and extract them.\nRuntime API resolving and DLL unhooking – Before calling any WIN API or NT API function, it\nfirst unhooks the corresponding DLL and then resolves the API dynamically via in-memory PE parsing.\nFigure 2 - GRAPELOADER - API resolving \u0026 DLL unhooking.\n\n**Persistence\nMechanism** Figure 2 – GRAPELOADER – API resolving \u0026 DLL unhooking.\nPersistence Mechanism\nMalicious execution begins by setting up persistence, but only if the process’s current working\ndirectory is not C:\\Windows\\System32 . This check prevents persistence from being established when executed via tools\nlike rundll32.exe , though the malware is still executed. If persistence is required, GRAPELOADER:\n1. Copies the content of the delivered archive wine (2).zip to C:\\Users\\User\\AppData\\Local\\POWERPNT\\ .\n2. Creates a Run registry key at SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the entry POWERPNT ,\npointing to C:\\Users\\User\\AppData\\Local\\POWERPNT\\wine.exe .\nC2 Communication\nAfter establishing persistence, the malicious code enters an infinite loop, polling its C2 server every 60 seconds. Initially, it\ncollects information on the environment, including: UserName , ComputerName , ProcessName , and ProcessPID . Together\nwith the hardcoded 64-character hexadecimal\nstring e55c854d77279ed516579b91315783edd776ac0ff81ea4cc5b2b0811cf40aa63 (believed to function as\na campaign/version tag) the collected data are structured like this:\nstruct CollectedEnvironmentInfo\nBYTE HardcodedHexString[64];\nDWORD GenRandNumFromSystemTime;\nstruct CollectedEnvironmentInfo { BYTE UserName[512]; BYTE ComputerName[512]; BYTE ProcessName[512];\nDWORD ProcessPID; BYTE HardcodedHexString[64]; DWORD GenRandNumFromSystemTime; };\nstruct CollectedEnvironmentInfo\n{\n BYTE UserName[512];\n BYTE ComputerName[512];\n BYTE ProcessName[512];\n DWORD ProcessPID;\n BYTE HardcodedHexString[64];\n DWORD GenRandNumFromSystemTime;\n};\nThis structure is sent via an HTTPS POST request to the C2 server https[:]//ophibre[.]com/blog.php using the User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0\nSafari/537.36 .\nFigure 3 - GRAPELOADER - C2 communication.\n\n**Shellcode Execution \u0026 Evasion\nTechnique** Figure 3 – GRAPELOADER – C2 communication.\nShellcode Execution \u0026 Evasion Technique\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\nPage 3 of 7\n\nOnly after receiving data from the C2 server does GRAPELOADER proceed with further execution. The payload is\r\nexpected to be a non-encrypted, memory-independent shellcode, which is executed entirely in-memory without being\r\nwritten to disk.\r\nTo evade memory scanning of AV/EDR solutions, GRAPELOADER implements a well-known technique:\r\n1. The received shellcode is copied into an allocated memory region with  PAGE_READWRITE  protection.\r\n2. The memory protection is changed to  PAGE_NOACCESS  using the NT API  NtProtectVirtualMemory .\r\n3. The  CreateThread  WIN API is called to create a new suspended thread, with  lpStartAddress  pointing to the\r\nbeginning of the non-accessible memory region.\r\n4. The  Sleep  WIN API (10 seconds) is invoked, giving AV/EDR solutions time to scan the non-accessible memory\r\nregion.\r\n5. The memory protection is changed to  PAGE_EXECUTE_READWRITE  using  NtProtectVirtualMemory .\r\n6. The  ResumeThread  WIN API is called to execute the shellcode.\r\nFigure 4 - GRAPELOADER - Shellcode execution and evasion technique.\r\nFigure 4 – GRAPELOADER – Shellcode execution and evasion technique.\r\nAs this campaign is highly targeted, using  CollectedEnvironmentInfo  to fingerprint infected machines, and because the\r\nexecution of the next-stage payload leaves no persistent traces, we were unable to retrieve the next-stage shellcode.\r\nWINELOADER\r\nThe new WINELOADER variant ( vmtools.dll ) is a 64-bit trojanized DLL with 964 exported functions, but only one of\r\nthem serves as the intended entry point for malicious execution. Interestingly, the Export Directory exhibits RVA duplicity:\r\neach pair of exported functions shares the same RVA. This means that the DLL really contains “only” 482 unique exports.\r\nFigure 5 - WINELOADER - “vmtools.dll” Exports.\r\nFigure 5 – WINELOADER – “vmtools.dll” Exports.\r\nAnother notable characteristic is the “RWX” (Read-Write-Execute) flag on the  .text  section. This is a strong indication of\r\nself-modifying code, which is typically part of the unpacking process.\r\nFigure 6 - WINELOADER - “vmtools.dll” RWX “.text” section.\r\nFigure 6 – WINELOADER – “vmtools.dll” RWX “.text” section.\r\nThe DLL’s name,  vmtools.dll , along with its exported function names, suggests that it was designed to be deployed\r\nalongside a benign, vulnerable executable, leveraging DLL side-loading to execute malicious code.\r\nWhile we could not acquire the exact main module used to load this DLL, our research quickly revealed that a similar\r\nlibrary (same DLL name + exports) is frequently used by executables that are part of the VMWare Tools installer.\r\nHowever, finding the correct version of the vulnerable module was a challenge. Because this DLL is trojanized, most of the\r\nexported functions contained garbage instructions, making it difficult to identify the intended function before the loader\r\ntriggers one of the broken exports. The process was akin to finding a needle in a haystack.\r\nTo bypass this issue, we opted for an emulation approach, systematically brute-forcing all exported functions while\r\nmonitoring for behavioral anomalies. This strategy quickly led us to the intended function,  Str_Wcscpy , which initiates\r\nmalicious execution.\r\nWINELOADER Unpacking\r\nA deeper analysis of  Str_Wcscpy  confirmed that it serves as an unpacking routine, similar to the one observed in previous\r\nWINELOADER versions.\r\nFigure 7 - WINELOADER - Unpacking routine - new vs. previous version.\r\nFigure 7 – WINELOADER – Unpacking routine – new vs. previous version.\r\nAs in earlier versions, the core module is unpacked via RC4 decryption, using a hardcoded 256-byte key (see Appendix\r\nA). The same RC4 key and algorithm are also used for string decryption and C2 communication.\r\nC2 Communication\r\nAfter unpacking, the core module of WINELOADER gathers information on the environment from the infected machine,\r\nincluding:  IPAddress ,  ProcessName ,  UserName ,  ComputerName ,  ProcessPID ,  ProcessToken , and structures the the\r\ndata like this:\r\nstruct CollectedEnvironmentInfo\r\nBYTE PaddingBytes[PaddingLength];\r\nQWORD PossibleCampaignID;\r\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nPage 4 of 7\n\nBYTE ProcessTokenElevationType;\r\nBYTE Message[MessageLength];\r\nstruct CollectedEnvironmentInfo { WORD PaddingLength; BYTE PaddingBytes[PaddingLength]; QWORD\r\nPossibleCampaignID; QWORD PossibleSessionID; BYTE IPAddress[14]; BYTE ProcessName[512]; BYTE\r\nUserName[512]; BYTE ComputerName[30]; DWORD ProcessPID; BYTE ProcessTokenElevationType; QWORD\r\nPollingInterval; BYTE RequestType; QWORD MessageLength; QWORD Unknown; QWORD PossibleModuleID; BYTE\r\nMessage[MessageLength]; };\r\nstruct CollectedEnvironmentInfo\r\n{\r\n WORD PaddingLength;\r\n BYTE PaddingBytes[PaddingLength];\r\n QWORD PossibleCampaignID;\r\n QWORD PossibleSessionID;\r\n BYTE IPAddress[14];\r\n BYTE ProcessName[512];\r\n BYTE UserName[512];\r\n BYTE ComputerName[30];\r\n DWORD ProcessPID;\r\n BYTE ProcessTokenElevationType;\r\n QWORD PollingInterval;\r\n BYTE RequestType;\r\n QWORD MessageLength;\r\n QWORD Unknown;\r\n QWORD PossibleModuleID;\r\n BYTE Message[MessageLength];\r\n};\r\nThis structure is almost identical to the one seen in previous WINELOADER versions. Initially, this data is RC4-\r\nencrypted with the embedded hardcoded key (see Appendix A) before being transmitted via an HTTPS GET request to the\r\nC2 server  https[:]//bravecup[.]com/view.php  using the User-Agent string  Mozilla/5.0 (Windows NT 6.1; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.2151.25 Safari/537.36 Edg/119.0.2151.25 .\r\nFigure 8 - WINELOADER - C2 communication.\r\nFigure 8 – WINELOADER C2 Communication\r\nOne highly unusual aspect is the User-Agent string, which claims to be from Windows 7 running Microsoft Edge\r\n(v119.0.2151.25); this is a version that should not normally exist on this OS. This anomaly serves as a strong network\r\nindicator of compromise (IoC).\r\nEvolving Anti-Analysis Techniques\r\nThe older WINELOADER version relied on function inlining for string decryption and did not strictly enforce\r\nimmediate memory cleanup, instead reusing local variables. In contrast, the new variant takes a different approach, similar\r\nto GRAPELOADER (suggesting codebase overlaps or shared development tactics). Each string is processed through\r\nthree distinct functions: one retrieves the encrypted byte blob, another one decrypts it using the RC4 algorithm, and the last\r\nfunction immediately zeroes out the decrypted memory after use.\r\nFigure 9 - WINELOADER C2 communication string decryption: new vs. old version.\r\nFigure 9 – WINELOADER C2 communication string decryption: new vs. old version.\r\nPreviously, automated tools like FLOSS could easily extract and deobfuscate strings from an unpacked WINELOADER\r\nsample. The improved implementation in the new variant disrupts this process, making automated string extraction and\r\ndeobfuscation fail.\r\nFigure 10 - WINELOADER FLOSS string deobfuscation: old vs. new (unpacked samples).\r\nFigure 10 – WINELOADER FLOSS string deobfuscation: old vs. new (unpacked samples).\r\nBeyond string obfuscation, the new WINELOADER variant improves additional anti-analysis techniques, including code\r\nmutation, junk instruction insertion, and structural obfuscation. While these changes hinder static analysis, the core malware\r\nfunctionality and network C2 communication remain largely unchanged from previous versions.\r\nAttribution\r\nThe tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in\r\nthe previous WINELOADER campaign from March 2024. In that earlier attack, APT29 also initiated the campaign with a\r\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nPage 5 of 7\n\nphishing email disguised as an invitation to a wine-tasting event, that time impersonating an Indian Ambassador.\r\nWhile some modifications were made to the infection chain in this latest campaign, such as the introduction of\r\nGRAPELOADER as the initial stager instead of ROOTSAW (an HTA downloader used previously), the core execution\r\nmethod, employing DLL side-loading and a persistence technique, remained largely unchanged.\r\nIn addtion, as we show in this report, GRAPELOADER shares significant similarities with WINELOADER, a malware well\r\nattributed to APT29. This includes alignment in the compilation environment (Rich-PE), matching compilation timestamps,\r\nand code similarity such as the string encryption mechanism.\r\nConclusion\r\nIn this report we provide an in-depth analysis of a new wave of targeted phishing attacks aimed at government and\r\ndiplomatic entities in Europe. These attacks are linked to the Russian linked APT29 (also known as Midnight Blizzard or\r\nCozy Bear). The attackers impersonate the Ministry of Foreign Affairs of a European country, sending fake wine-tasting\r\ninvitations to deploy a new malware called GRAPELOADER. This tool serves as an initial-stage mechanism for\r\nfingerprinting, persistence, and payload delivery.\r\nIn addition, we also identified a new variant of the previously known WINELOADER malware. Changes in the new variant\r\nprimarily include evolved stealth and evasion techniques, which further complicate detection efforts. Due to the links we\r\nuncovered between GRAPELOADER and WINELOADER, this suggests that WINELOADER is likely delivered in later\r\nstages of the attack.\r\nProtections\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, filetypes, and\r\noperating systems and protect against the attacks and threats described in this report.\r\nHarmony Endpoint – Anti-Bot\r\nTrojan.WIN64.WINELOADER.A\r\nTrojan.WIN64.WINELOADER.B\r\nTrojan.WIN64.WINELOADER.C\r\nTrojan.WIN64.WINELOADER.D\r\nTrojan.WIN64.WINELOADER.E\r\nThreat Emulation\r\nAPT.Wins.WineLoader.A\r\nAPT.Wins.WineLoader.B\r\nIOCs\r\nName Value Description\r\nwine.zip 653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358 Initial access ZIP\r\nwine.exe 420d20cddfaada4e96824a9184ac695800764961bad7654a6a6c3fe9b1b74b9a\r\nPowerPoint for\r\nside-loading\r\nAppvIsvSubsystems64.dll 85484716a369b0bc2391b5f20cf11e4bd65497a34e7a275532b729573d6ef15e\r\nJunk code DLL\r\nserving as\r\nPowerPoint\r\ndependency\r\nAppvIsvSubsystems64.dll 78a810e47e288a6aff7ffbaf1f20144d2b317a1618bba840d42405cddc4cff41\r\nJunk code DLL\r\nserving as\r\nPowerPoint\r\ndependency\r\nppcore.dll d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164 GRAPELOADER\r\nppcore.dll 24c079b24851a5cc8f61565176bbf1157b9d5559c642e31139ab8d76bbb320f8 GRAPELOADER\r\nvmtools.dll adfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8 WINELOADER\r\nhxxps://silry[.]com/inva.php Download URL\r\nhxxps://bakenhof[.]com/invb.php Download URL\r\nbakenhof[.]com Phishing Domain\r\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nPage 6 of 7\n\nName Value Description\r\nsilry[.]com Phishing Domain\r\nophibre[.]com C2\r\nbravecup[.]com C2\r\nAppendix A: Hardcoded WINELOADER RC4 Key\r\nThe full 256-byte RC4 key embedded inside WINELOADER and used for string decryption, unpacking its core module, and\r\nencrypting/decrypting information exchanged between the malware and the C2 server.\r\n6b67857ca8a21f6dcb30f855b320140b3ab1c7be4a1615a27bc63cba86412e43b7cbcb9135c91b3c1892bd12934b19f5698ca3695363f58a3fc53abdbc8188a1\r\n6b67857ca8a21f6dcb30f855b320140b3ab1c7be4a1615a27bc63cba86412e43b7cbcb9135c91b3c1892bd12934b19f5698ca3695363f58a3fc53abdbc8188a1\r\n6b67857ca8a21f6dcb30f855b320140b3ab1c7be4a1615a27bc63cba86412e43b7cbcb9135c91b3c1892bd12934b19f5698ca3695363f5\r\nSource: https://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nhttps://research.checkpoint.com/2025/apt29-phishing-campaign/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.checkpoint.com/2025/apt29-phishing-campaign/" ], "report_names": [ "apt29-phishing-campaign" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434604, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e5356f777de262b7a964844109f65a929b7bf5b.pdf", "text": "https://archive.orkl.eu/7e5356f777de262b7a964844109f65a929b7bf5b.txt", "img": "https://archive.orkl.eu/7e5356f777de262b7a964844109f65a929b7bf5b.jpg" } }