Midnight Blizzard, a Russian-affiliated hacker gang, is currently carrying out a series of cyberattacks in Europe. According to Check Point researchers, the cybercriminals are using a new virus, called GrapeLoader, as part of a large-scale phishing campaign against European diplomatic entities.
Known for collaborating with Russian intelligence services, the gang is known to have attacked HPE (Hewlett Packard Enterprise), French diplomats, as well as SolarWinds in the past. Last year, Midnight Blizzard also managed to penetrate Microsoft's systems to hack the email accounts of several of its executives. The hackers were able to spy on the managers' sensitive communications. Shortly after, the gang compromised the infrastructure of TeamViewer, one of the most important remote control software.
A combination of new viruses
To trap European diplomats, the hackers began by usurping the identity of a foreign ministry. By impersonating this ministry, the hackers will send an email to the target. The email contains an invitation to a wine tasting. To confirm their attendance, the targets are invited to click on a malicious link. This triggers the download and installation of a ZIP archive. The beginnings of the offensive are typical of phishing attacks. This archive contains the GrapeLoader malware. This is a loader, a piece of malware designed solely to install other viruses on infected computers.
This malware will deploy a backdoor called WineLoader. The backdoor will then take over and siphon off all data available on the machine, such as the PC's IP address, the name of the running process, the Windows user, the computer name, and the privilege level. As Check Point explains, the Russian hackers are using a brand new, more discreet variant of WineLoader. By combining these new criminal tools, Midnight Blizzard has developed a stealthy attack capable of bypassing many security mechanisms.
Attacks underway since January 2025
In its report, Check Point specifies that the gang targets governments, including "non-European embassies located in Europe.". "Diplomats based in the Middle East" have also been targeted. The wave of attacks began in January 2025.
Several criminal groups affiliated with Russia has been orchestrating cyber espionage operations in Europe for years. In addition to Midnight Blizzard, gangs like Sandworm and Winter Vivern are carrying out sophisticated cyber attacks against critical infrastructure, particularly in the energy sector, as well as against government and military organizations in Europe.
These groups operate with advanced technical means, provided by Russia's intelligence services, with the aim of stealing confidential data. The hackers' targets are increasingly diverse. They increasingly include ministries, hospitals, institutions, but also journalists, researchers, and NGOs. At the same time, Russia is accused of orchestrating large-scale disinformation operations aimed at destabilizing Western democracies.
Source: Check Point
0 Comments