European diplomats targeted by SPIKEDWINE with WINELOADER

This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting
event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP
archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of
another similar PDF file uploaded to VirusTotal from Latvia in July 2023.
This blog provides detailed information about a previously undocumented backdoor we named ‘WINELOADER'. We
believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats
in European nations, carried out this attack. The attack is characterized by its very low volume and the advanced
tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure.
While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE
based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into
the case is ongoing.
We notified our contacts at the National Informatics Centre (NIC) in India about the abuse of Indian government
themes in this targeted attack
Key Takeaways
2/10
Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic
missions, although VirusTotal submissions indicate a specific focus on European diplomats.
New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the
command and control (C2) server.
Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers,
to guard sensitive data in memory and evade memory forensics solutions.
Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack
chain.
Read Full Article on Off Shore Club