In late February 2024, Mandiant identified APT29 – a Russian Federation-backed threat group linked to the Russian Foreign Intelligence Service (SVR) by multiple governments – which ran a phishing campaign targeting German political parties.
Consistent with APT29 operations dating back to 2021, this operation leveraged APT29's main ROOTSAW (also known as EnvyScout) payload to deliver a new backdoor variant known as WINELOADER. This activity represents a departure from APT29's typical targeting of governments, foreign embassies and other diplomatic missions and is the first time that Mandiant has identified this APT29 subcluster's operational interest in political parties.
Additionally, while APT29 has used bait documents bearing the logo of German government organizations before, this is the first instance in which the group has used German-language bait content - a possible result of the two operations' different audiences. The phishing emails sent to victims purported to be a dinner invitation and bore a logo of the Christian Democratic Union (CDU). The German-language bait document contains a phishing link that leads victims to a malicious ZIP file containing a ROOTSAW dropper hosted on a compromised website controlled by the actors. ROOTSAW delivered a CDU-themed decoy document in the second stage and a WINELOADER payload in the next stage.
More at Mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.
Matching articles on the topic