APT29
APT29, also known as Midnight Blizzard, BlueBravo, or Cozy Bear, has been identified using a new backdoor variant called WINELOADER to target German political parties. This campaign marks a significant shift in the group’s focus from its traditional targets—diplomatic missions—to political entities, indicating a broader operational intent to gather political intelligence.
📌The campaign specifically targeted German political parties, with phishing emails sent around February 26, 2024. These emails featured a logo from the Christian Democratic Union (CDU) and included malicious links.
📌WINELOADER is believed to be a variant of the non-public historic BURNTBATTER and MUSKYBEAT code families, which have been uniquely associated with APT29 by Mandiant.
📌The malware employs sophisticated techniques such as DLL side-loading, RC4 encryption for payload decryption, and evasion tactics like process/DLL name checks and Ntdll usermode hook bypass.
📌The initial access was achieved through phishing attachments leading to a compromised website, «waterforvoiceless[.]org,» which hosted the ROOTSAW dropper. This dropper then facilitated the download and execution of the WINELOADER payload.
📌This shift to targeting political parties reflects growing interest in influencing or understanding Western political dynamics, especially in the context of ongoing geopolitical tensions.
📌The targeting of political parties is seen as a strategic move to gather actionable intelligence that could potentially influence political outcomes or strategies in Europe and beyond.
📌The campaign against German political parties is not seen as an isolated incident but rather part of a broader strategy that could target other Western political entities.