Hackers Target EU Diplomats With Fake Wine Event Invites - 1

Image by Monique Carrati, from Unsplash

Hackers Target EU Diplomats With Fake Wine Event Invites

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Russian hackers posing as EU officials lured diplomats with fake wine invites, deploying stealth malware GRAPELOADER in an evolving espionage campaign.

In a rush? Here are the quick facts:

  • APT29 targets EU diplomats with phishing emails disguised as wine event invites.
  • GRAPELOADER uses stealthier tactics than previous malware, including anti-analysis upgrades.
  • Malware executes hidden code via DLL side-loading in a PowerPoint file.

Cybersecurity researchers have uncovered a new wave of phishing attacks carried out by the Russian-linked hacking group APT29, also known as Cozy Bear. The campaign, flagged by Check Point , targets European diplomats by tricking them with fake invitations to diplomatic wine tasting events.

The investigation found that attackers posed as a European Ministry of Foreign Affairs and emailed diplomats invitations that appeared official. The emails contained links that, when clicked, led to the download of malware hidden in a file named wine.zip.

This file installs a new tool called GRAPELOADER, which allows the attackers to gain a foothold in the victim’s computer. GRAPELOADER gathers system information, establishes a backdoor for further commands, and ensures the malware stays on the device even after a restart.

“GRAPELOADER refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods,” the researchers noted. The campaign also uses a newer version of WINELOADER, a backdoor known from previous APT29 attacks, which is likely used in the later stages.

The phishing emails were sent from domains impersonating real ministry officials. If the link in the email failed to trick the target, follow-up emails were sent to try again. In some cases, clicking the link redirected users to the actual Ministry website to avoid suspicion.

The infection process uses a legitimate PowerPoint file to run hidden code using a method called “DLL side-loading.” The malware then copies itself to a hidden folder, changes system settings to launch automatically, and connects to a remote server every minute to wait for further instructions.

The attackers went to great lengths to stay hidden. GRAPELOADER uses complex techniques to scramble its code, erase its tracks, and avoid detection by security software. These methods make it harder for analysts to break down and study the malware.

This campaign shows that APT29 continues to evolve its tactics, using creative and deceptive strategies to spy on government targets across Europe.

Low-Cost Phones Come With Fake WhatsApp That Steals Crypto - 2

Image by Dimitri Karastelev, from Unsplash

Low-Cost Phones Come With Fake WhatsApp That Steals Crypto

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A fake version of WhatsApp pre-installed on cheap Android phones is stealing cryptocurrency by swapping wallet addresses and scanning user data.

In a rush? Here are the quick facts:

  • Fake WhatsApp app pre-installed on cheap Android phones.
  • Trojan sends user messages and images to hackers.
  • Hackers earned over $1 million through stolen cryptocurrency.

Security researchers have uncovered a dangerous scam involving cheap Android smartphones with pre-installed fake apps designed to steal cryptocurrency. According to Russia-based antivirus company Doctor Web , the malware campaign was first reported in mid-2024 and has grown significantly since.

The attackers are targeting users who purchase low-cost smartphones that appear similar to big-name models like the “S23 Ultra” or “Note 13 Pro.” These phones often claim to run Android 14 but are actually running modified Android 12, with fake system specs.

A trojanized version of WhatsApp, secretly installed on these phones, is at the center of the scam. Using a tool called LSPatch, hackers added a hidden module to the app. Once active, it quietly intercepts and changes copied cryptocurrency wallet addresses, a method known as “clipping.”

The malware even tricks both sender and recipient. Doctor Web explains that “in the case of an outgoing message, the compromised device displays the correct address of the victim’s own wallet, while the recipient… is shown the address of the fraudsters’ wallet.”

This version of WhatsApp also sends all user messages to the hackers and scans the device for images containing recovery phrases, often used to access crypto wallets. Many users take screenshots of these phrases, giving hackers full access if found.

Doctor Web named the trojan Shibai. It reportedly affects around 40 apps, including Telegram, Trust Wallet, and MathWallet. The campaign uses over 60 servers and 30 domains, and some hacker wallets have received over $1 million in stolen crypto.