สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency

Report

Home > List all groups > List all tools > List all groups using tool WINELOADER

Threat Group Cards: A Threat Actor Encyclopedia

Tool: WINELOADER

Names	WINELOADER
Category	Malware
Type	Backdoor
Description	(Mandiant) WINELOADER is likely a variant of the non-public historic BURNTBATTER and MUSKYBEAT code families which Mandiant uniquely associates with APT29. It shares a similar design and pattern, specifically around the invocation of the malware and the anti-analysis techniques used. However, the code family itself is considerably more customized than the previous variants, as it no longer uses publicly available loaders like DONUT or DAVESHELL and implements a unique C2 mechanism.
Information	<https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties> <https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader>
Malpedia	<https://malpedia.caad.fkie.fraunhofer.de/details/win.wineloader>

Last change to this tool card: 27 December 2024

Download this tool card in JSON format

Previous: WindTail
Next: WINERACK

All groups using tool WINELOADER

Changed	Name	Country	Observed
APT groups
	APT 29, Cozy Bear, The Dukes		2008-Oct 2024

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Report incidents

+66 (0)2-123-1227

[email protected]