German political parties have been targeted in a recent attack by a threat actor associated with Russia’s Foreign Intelligence Service (SVR), a new report from Google-owned Mandiant reveals.

Tracked as APT29, Cozy Bear, or Midnight Blizzard, the threat actor is primarily known for its phishing attacks against governments, foreign embassies, and other diplomatic missions, and this is the first time the group has been observed targeting political parties, Mandiant noted.

The phishing campaign, observed in late February, leveraged German-language lure content (also a new tactic in APT29’s modus operandi) and its well-known first-stage payload Rootsaw (aka EnvyScout) used to deliver a new backdoor variant called ‘Wineloader.’

The attack involved phishing emails containing bogus invitations to a dinner reception, ostensibly sent by the Christian Democratic Union (CDU), a major political party in Germany. The email contained a link leading to a malicious ZIP file with the Rootsaw dropper hosted on an actor-controlled compromised website. The dropper, in turn, downloaded a second-stage CDU-themed lure document and a next stage Wineloader payload from the compromised site.

First spotted in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru, the Wineloader backdoor implements functionality that overlaps with several known APT29 malware families, including Burnbatter, Muskybeat and Beatdrop.

“It shares a similar design and pattern, specifically around the invocation of the malware and the anti-analysis techniques used. However, the code family itself is considerably more customized than the previous variants, as it no longer uses publicly available loaders like Donut or Daveshell and implements a unique C2 mechanism,” Mandiant noted.