Researchers at Zscaler observed a cyberespionage campaign that targeted European diplomats with malicious PDFs disguised as invitations to a wine-tasting party hosted by the Ambassador of India.
“Zscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024,” the researchers write.
“This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of another similar PDF file uploaded to VirusTotal from Latvia in July 2023.”
The PDF files asks recipients to fill out a questionnaire in order to receive an invitation to the event. If the user clicks on the link to the phony questionnaire, they’ll be taken to a website that will install a malicious HTA file.
“The contents are well-crafted to impersonate the Ambassador of India,” the researchers write. “The invitation contains a link to a fake questionnaire, which kickstarts the infection chain. The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file - wine.hta.”
Zscaler believes a state-sponsored threat actor is behind the campaign and is targeting specific individuals.
“We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack,” the researchers write. “The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure. While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into the case is ongoing.”
New-school security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Zscaler has the story.
Here's how it works:
