Spy modules disguised as PowerPoint presentations have already confused more than one sommelier.
Cyber group Midnight Blizzard has launched a new phishing campaign targeting European diplomatic institutions, including embassies. According to Check Point Research, since January 2025, attackers have been sending fake emails supposedly from foreign ministries, inviting recipients to wine tastings. The emails utilize spoofed domains such as "bakenhof[.]com" and "silry[.]com."
The hidden threat lies within an archive named "wine.zip," which is only accessible to victims who meet specific criteria. If a user doesn’t qualify, they are redirected to a legitimate government website, reducing suspicion. Inside the archive is a legitimate executable file ("wine.exe") disguised as a PowerPoint presentation, along with a malicious component, "ppcore.dll," which serves as a loader called GrapeLoader.
The malware is launched through DLL hijacking and immediately begins collecting system information. It modifies the Windows registry to ensure persistence and then connects to a command-and-control server to load the main payload into the device’s memory. To evade detection, the loader delays execution by 10 seconds and uses PAGE_NOACCESS memory protection, complicating discovery by antivirus and EDR tools.
Researchers report that GrapeLoader has replaced the older RootSaw loader and features a more stealthy and sophisticated design. Its primary task is reconnaissance and delivery of the second-stage malware, WineLoader, which is disguised as a legitimate VMware Tools library.
WineLoader gathers extensive data from the infected machine: IP address, username and computer name, process ID, privilege level, and more. This information helps determine whether the malware is running in a sandbox environment and assesses the need to deploy additional components.
The discovered WineLoader variant has enhanced anti-analysis features — including duplicated relative virtual addresses, altered export tables, junk instruction injection, and complex string obfuscation. Previously, tools like FLOSS could easily extract strings from malware, but this is no longer effective due to the improved implementation.
Since all malicious activity takes place in memory and the phishing campaign is highly targeted, Check Point researchers were unable to obtain the full second-stage WineLoader payload or its additional modules. As a result, the full extent of the malware's capabilities remains unknown.
Nonetheless, the research emphasizes that the APT29 toolkit is becoming increasingly complex. The group continues to improve concealment techniques, focus on modular components, and evolve its evasion methods — all of which call for multi-layered defense strategies and heightened monitoring to detect such advanced threats in time.
