From helpnetsecurity.com
APT29 (aka Cozy Bear, aka Midnight Blizzard) has been spotted targeting German political parties for the first time, Mandiant researchers have shared.
Phishing leading to malware
The attack started in late February 2024, with phishing emails containing bogus invitations to a dinner reception, ostensibly sent by the Christian Democratic Union (CDU), a major political party in Germany.
Recipients were urged to follow a link to discover “all the necessary information about the event as well as the form for participation” and were led to a compromised WordPress website hosting Cozy Bear’s “mainstay first-stage payload”: ROOTSAW.
“ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from ‘waterforvoiceless[.]org/util.php’,” the researchers noted.