Skip to content Skip to footer

New Threat Actor SPIKEDWINE Targeting European Officials with WINELOADER Backdoor

A recent report from Zscaler ThreatLabz has uncovered a previously undocumented threat actor named SPIKEDWINE, which appears to be targeting officials in European countries that have Indian diplomatic missions. This actor uses a new backdoor called to carry out the attacks.

The SPIKEDWINE campaign has been observed using a file sent via email to diplomatic staff, purportedly from the Ambassador of India, inviting them to a wine-tasting event on February 2, 2024. The document was uploaded to VirusTotal from Latvia on January 30, 2024. However, evidence suggests that this campaign may have been active since at least July 6, 2023, as another similar file was discovered that was uploaded from the same country.

The attack is characterized by its low volume and advanced tactics, techniques, and procedures (TTPs) employed in the and (C2) infrastructure. Sudeep Singh and Roy Tay, the security researchers who reported on the SPIKEDWINE campaign, noted that the adversary put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions.

The file comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out to participate. Clicking on the link paves the way for an HTML application (“wine.hta”) that contains obfuscated JavaScript code to retrieve an encoded ZIP archive bearing from the same domain.

The is packed with a core module designed to execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests. The most notable aspect of the cyber incursions is using compromised websites for C2 and intermediate payloads. It's suspected that the “C2 server only responds to specific types of requests at certain times,” making the attacks more evasive.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.