European diplomats targeted by SPIKEDWINE with WINELOADER

Zscaler’s ThreatLabz discovered a low-volume, targeted campaign using malicious PDF invitations that lead to a multi-stage infection chain installing a previously undocumented backdoor named WINELOADER. The actor, tracked as SPIKEDWINE, used compromised websites, DLL side‑loading, DLL hollowing, RC4 encryption for C2 traffic, and scheduled-task or registry persistence. #WINELOADER #SPIKEDWINE

Keypoints

Targeted spear‑phishing: PDFs impersonating the Indian Ambassador contained links that redirected victims to compromised sites hosting a ZIP with wine.hta.
Initial downloader: The HTA used obfuscated JavaScript (patterns matching obfuscator.io) to fetch a Base64 ZIP via cert.php, decode it with certutil, and extract payloads via tar.
DLL side‑loading: The ZIP dropped sqlwriter.exe (signed Microsoft binary) and a malicious vcruntime140.dll, which is side‑loaded when sqlwriter.exe runs.
Modular backdoor: vcruntime140.dll decrypts an embedded WINELOADER core module with a hardcoded 256‑byte RC4 key; subsequent modules are RC4‑encrypted and fetched from C2.
Evasion techniques: WINELOADER decrypts strings on use, re‑encrypts them, zeroes memory buffers, and injects via DLL hollowing into randomized system DLLs to avoid detection.
C2 protocol: Beacons are unusual HTTP GETs with encrypted bodies (RC4), randomized padding, a fixed User‑Agent, and a 120,000 ms default polling interval; C2 responds with encrypted commands and modules.
Persistence: A persistence module copies artifacts to C:WindowsTasks and creates a scheduled task named “MS SQL Writer” (and can set a Run registry key) to maintain execution.

MITRE Techniques

[T1204.002] User Execution: Malicious File – The PDF contained a malicious link used to initiate the chain (‘The PDF file that masquerades as an invitation contains a malicious link.’)
[T1656] Impersonation – The PDF impersonated the Ambassador of India to increase credibility (‘The contents of the PDF are crafted to impersonate the Ambassador of India.’)
[T1204.001] User Execution: Malicious Link – The PDF’s link led to a download of a malicious ZIP archive (‘The PDF file contains a link that leads to the download of a malicious ZIP archive.’)
[T1574.002] Hijack Execution Flow: DLL Side-Loading – sqlwriter.exe was used to side‑load the malicious vcruntime140.dll (‘sqlwriter.exe is used to DLL side‑load vcruntime140.dll.’)
[T1055.001] Process Injection: Dynamic-link Library Injection – DLL hollowing is used to load and execute WINELOADER inside randomly selected system DLLs (‘DLL hollowing is used to load a randomly chosen system DLL into sqlwriter.exe process memory and inject WINELOADER in that DLL.’)
[T1573.001] Encrypted Channel: Symmetric Cryptography – WINELOADER uses RC4 to encrypt communications and payloads (‘RC4 stream cipher is used to encrypt the data exchanged between WINELOADER and the C2 server.’)
[T1041] Exfiltration Over C2 Channel – Data (user/system info and messages) is sent encrypted to the C2 server (‘Data is encrypted and exfiltrated to the C2 server.’)
[T1584] Compromise Infrastructure – Compromised websites were used to host payloads and C2 endpoints (‘Compromised sites are used for hosting payloads and as a C2 server.’)
[T1053.005] Scheduled Task/Job: Scheduled Task – A scheduled task named “MS SQL Writer” is created for persistence (‘A scheduled task with the name “MS SQL Writer” is created to ensure sqlwriter.exe is executed…’)
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Registry Run key used as alternate persistence (‘WINELOADER can be configured to execute on Windows startup by setting the registry key at HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunMS SQL Writer.’)
[T1140] Deobfuscate/Decode Files or Information – RC4 is used to encrypt modules and strings which are decrypted at runtime (‘WINELOADER strings and modules are encrypted with RC4. Sensitive data is often re‑encrypted or zeroed out after use.’)
[T1036.001] Masquerading: Invalid Code Signature – vcruntime140.dll has an invalid Microsoft code signing certificate (‘vcruntime140.dll has an invalid Microsoft code signing certificate.’)
[T1036.004] Masquerading: Masquerade Task or Service – The scheduled task masquerades as a legitimate MS scheduled task (‘The scheduled task created for persistence masquerades as a legitimate Microsoft scheduled task.’)
[T1027.007] Obfuscated Files or Information: Dynamic API Resolution – API names are decrypted and resolved at runtime (‘API names are decrypted before they are dynamically resolved and called.’)
[T1027.009] Obfuscated Files or Information: Embedded Payloads – Modules are embedded and RC4‑encrypted inside the DLL and C2 responses (‘WINELOADER modules are encrypted with RC4 within vcruntime140.dll and C2 responses.’)
[T1218.005] System Binary Proxy Execution: Mshta – mshta.exe executes wine.hta which contains the downloader JS (‘mshta.exe executes wine.hta, which contains malicious JS downloader code.’)
[T1033] System Owner/User Discovery – C2 beacons include user and machine names (‘WINELOADER sends the current user and system name in each C2 request.’)
[T1071.001] Application Layer Protocol: Web Protocols – C2 uses HTTP(S) with atypical GET requests containing bodies (‘WINELOADER communicates with its C2 via HTTPS. HTTP GET requests contain a request body that is atypical of such requests.’)
[T1001.001] Data Obfuscation: Junk Data – Randomized junk padding is prepended to request data before encryption (‘WINELOADER prepends a randomized number of junk bytes to the request data before encrypting and sending it to the C2.’)

Indicators of Compromise

[File Hash] WINELOADER and related payloads – 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4 (vcruntime140.dll), e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc (core module), and 7 more hashes
[URL/Domain] Staging and C2 hosts – hxxps://seeceafcleaners[.]co[.]uk/wine.php (downloads ZIP with wine.hta), hxxps://castechtools[.]com/api.php (WINELOADER C2)
[File Name] Dropped/installed artefacts – wine.hta (initial downloader), sqlwriter.exe (signed binary used for DLL side‑loading), vcruntime140.dll (malicious DLL)

WINELOADER infection begins when a crafted PDF redirects the victim to a compromised site (e.g., seeceafcleaners[.]co[.]uk/wine.php) that serves a ZIP containing wine.hta. The HTA runs under mshta.exe and executes obfuscated JavaScript (obfuscator.io patterns) which downloads a Base64 text blob from cert.php, writes it to C:WindowsTaskstext.txt, decodes it with certutil (-decode C:WindowsTaskstext.txt C:WindowsTaskstext.zip), and extracts sqlwriter.exe and vcruntime140.dll into C:WindowsTasks using tar -xf. sqlwriter.exe (a signed Microsoft executable identified by the actor) is executed to trigger DLL side‑loading of the malicious vcruntime140.dll.

vcruntime140.dll exports set_se_translator, which decrypts an embedded WINELOADER core module using a hardcoded 256‑byte RC4 key. The core parses a data structure containing configuration (C2 polling interval), an RC4 key, encrypted strings, and module code. WINELOADER decrypts strings on demand, re‑encrypts or zeroes memory buffers after use, and employs DLL hollowing to inject into randomized Windows system DLLs (skipping critical DLLs that export functions the malware relies on). Before sending or after receiving data, all payloads and C2 messages are RC4 encrypted.

C2 communication uses HTTPS with atypical HTTP GET requests that carry an encrypted body and randomized padding; messages include fields such as campaign ID, session ID, local IP, parent process name, user and machine name, parent PID, elevation type, polling interval (120,000 ms observed), request type, and module ID. The core supports commands to execute modules, re‑inject into another DLL, and update the sleep interval. A persistence module copies artifacts to C:WindowsTasks and creates a scheduled task “MS SQL Writer” (and can add a Run registry key) to ensure sqlwriter.exe executes daily and notifies C2 via a structured, encrypted POST mirroring the beacon format.