Notorious Russian hackers target government officials with fake dinner party invites

Hands typing on a keyboard surrounded by security icons

(Image credit: Shutterstock)

Russian hackers have been observed impersonating a major German political party in an attempt to infect other political subjects in the country with malware capable of stealing sensitive information, and more.

Cybersecurity researchers from Mandiant reported detetcing a copy of a phishing email sent from a Russian state-sponsored threat actor known as APT29, which has previously been linked with Russia's Foreign Intelligence Service (SVR), and attributed to some of the bigger cyberattacks in recent years, including the disastrous SolarWinds attack from 2020.

The email impersonates the Christian Democratic Union (CDU), one of Germany’s largest political parties whose prominent members include, among others, Angela Merkel, who served as the Chancellor for roughly 16 years, and was widely considered among the most influential politicians globally.

War effort

Starting in February 2024, the campaign invites members of other political parties to a dinner party, and comes with a link to an external page. That page drops a ZIP archive of the Rootsaw malware dropper. This dropper, if executed, will deploy a backdoor called WineLoader.

WineLoader was first discovered in February, BleepingComputer reports, when security researchers from Zscaler found fake invitations to a wine-tasting event.

While it’s safe to assume WineLoader is an infostealer used in cyber-espionage campaigns, it also seems to be much more than that. It’s a modular piece of malware that can probably do many more things, depending on each individual campaign’s requirements.

Before targeting German political entities, WineLoader was seen in the Czech Republic, India, Italy, Latvia, and Peru.

Russia has been at war with Ukraine for more than two years, and most of Western Europe sided with Ukraine, providing assistance in military equipment and other logistics. While not confirmed, it’s safe to assume this campaign is also part of the Russian war effort.

More from TechRadar Pro

More WinRar security flaws are being exploited to attack foreign embassies
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.