WINELOADER Analysis

SUMMARY :

APT29, also known as Cozy Bear, has targeted European diplomats using a sophisticated multi-stage attack chain involving a new modular backdoor called WINELOADER. The attack begins with a fake PDF invitation to a wine-tasting event, which leads to the download of a malicious HTA file. This file then downloads and executes the WINELOADER backdoor, which uses advanced evasion techniques such as DLL side-loading, encryption, and DLL hollowing. The malware communicates with command and control servers hosted on compromised websites, downloading additional modules and establishing persistence through scheduled tasks or registry keys. The campaign demonstrates APT29's focus on exploiting diplomatic relations between India and European nations, showcasing their advanced tactics and efforts to remain undetected.

OPENCTI LABELS :

backdoor,apt29,evasion,wineloader,modular,diplomats,dll side-loading,cozy bear,dll hollowing


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


WINELOADER Analysis