Cyber Incident Victim: Bavaria

In late February 2024, Mandiant observed APT29—a Russian state-sponsored threat group linked to the SVR foreign intelligence service—conducting a phishing campaign targeting multiple German political parties, marking a strategic shift in the group’s operational focus. The campaign began on February 26 with phishing emails impersonating the Christian Democratic Union (CDU), Germany’s major political party, inviting recipients to a fabricated March 1 dinner event. These German-language emails contained a malicious link to "waterforvoiceless[.]org/invite.php," directing victims to download a ZIP archive hosting ROOTSAW malware (also known as EnvyScout), a longstanding APT29 first-stage payload. The compromised website delivered a secondary CDU-themed decoy PDF document alongside the malware package. ROOTSAW subsequently retrieved and executed WINELOADER, a new backdoor variant, from "waterforvoiceless[.]org/util.php." This activity represented APT29’s first documented targeting of political parties, diverging from its historical pattern of attacking foreign embassies, diplomatic missions, and government entities. Mandiant attributed the shift to the SVR’s mandate to gather intelligence on Western political dynamics, particularly concerning Ukraine-related policy debates. The German-language lures and domestic political targeting contrasted with APT29’s prior use of English-language baits aimed at international diplomats, as seen in mid-2023 operations against embassies in Ukraine.

Technical analysis revealed WINELOADER’s deployment via DLL side-loading through the legitimate Microsoft executable SqlDumper.exe (MD5: f32c04ad97fa25752f9488781853f0ea), leveraging compromised infrastructure including "siestakeying[.]com/auth.php" for command-and-control (C2) communications. The malware employed RC4 decryption, anti-analysis checks for process/DLL names, and Ntdll user-mode hook bypasses—techniques consistent with APT29’s BURNTBATTER, MUSKYBEAT, and BEATDROP malware families. WINELOADER exfiltrated system reconnaissance data (username, device name, process paths) via HTTP GET requests and supported payload execution through process injection. ZScaler researchers observed the malware configuring persistence via registry run keys, though Mandiant did not recover specific attacker commands. Forensic artifacts included malicious files with spoofed names like "Invite.pdf" (MD5: fb6323c19d3399ba94ecd391f7e35a9c) and "vcruntime140.dll" (MD5: 8bd528d2b828c9289d9063eba2dc6aa0), with infrastructure overlaps to a late January 2024 WINELOADER campaign targeting diplomatic entities in Czechia, India, Italy, Latvia, and Peru. Mandiant assessed the operation as part of APT29’s adaptive strategy to align with Russia’s geopolitical priorities, warning of likely expansion to other Western political parties and NGOs. The United Kingdom’s National Cyber Security Center (NCSC) concurrently highlighted APT29’s experimentation with cloud authentication subversion and password spraying in February 2024 advisories, though these tactics were not observed in the German political party campaign.