European diplomats targeted by Russian phishing campaign promising fancy wine tasting

LovabledanielsApril 17, 202573 Views

Security researchers spotted a new phishing campaign targeting diplomats in Europe
The targets are invited to an upmarket wine tasting event
However the emails distribute a new loader called GRAPELOADER

Russian scammers are using diplomats’ love for wine to distribute a nasty new backdoor.

A new report from cybersecurity experts Check Point Research (CPR), who have been tracking the campaign since early 2025, noted infamous state-sponsored threat actor APT29 (AKA Cozy Bear, Midnight Blizzard) is impersonating a major European Ministry of Foreign Affairs as it sends out phishing emails to other diplomats across the continent.

The emails, containing an invite to a wine tasting (or a similar event), distribute two distinct malware variants: GRAPELOADER and an updated version of WINELOADER.

Spoofing SharePoint

Older variants of WINELOADER are confirmed to originate from APT29, which is how CPR concluded that the campaign belongs to the Russian threat actor.

The focus of the report is on GRAPELOADER, since it’s newer and relatively more dangerous. It acts as an initial-stage loader, and is used for fingerprinting, persistence, and payload delivery. CPR says it employs advanced stealth methods and anti-analysis techniques, and exploits DLL side-loading vulnerabilities for execution.

WINELOADER, on the other hand, is a modular backdoor used in later stages of the attack. It shares some similarities with GRAPELOADER in code structure and obfuscation, and comes with improved anti-analysis features.

The targets are diplomats, located in Europe, but not European in origin. Instead, Cozy Bear focuses on embassies of non-European countries, located in Europe. CPR did not detail who the targets were, and how successful the campaign might have been.

Cozy Bear is believed to be affiliated with Russia’s Foreign Intelligence Service (SVR) and is described as one of the most sophisticated and stealthy APT threat actors out there. It is usually tasked with intelligence gathering, targeting government agencies (in the US, NATO countries, and the EU), think tanks and NGOS, universities, cybersecurity companies, and more.

It gained global notoriety after the 2020 SolarWinds attack, which is now perceived as one of the most impactful supply-chain attacks ever, compromising US federal agencies and major corporations.

Weekly update

How water vapor is powering the next generation of soft robots

What the Christians of the Holy Land expect from Pope Leo XIV | Israel-Palestine conflict

Pope Leo XIV ‘deeply saddened’ by Gaza, calls for aid and a ceasefire

Weekly Newsletter

European diplomats targeted by Russian phishing campaign promising fancy wine tasting

Leave a comment

Leave a Reply Cancel reply

Explore more

What the Christians of the Holy Land expect from Pope Leo XIV | Israel-Palestine conflict

Pope Leo XIV ‘deeply saddened’ by Gaza, calls for aid and a ceasefire

Iran says nuclear enrichment ‘non-negotiable’ before US talks in Oman | Nuclear Energy News

Trump offers to work with India, Pakistan on Kashmir ‘solution’ | India-Pakistan Tensions News

Scientists say this bismuth-powered chip is 40% faster than Intel’s best – are silicon processors officially finished?

Google is rolling out its Gemini AI chatbot to kids under 13. It’s a risky move

Facebook users are being tricked into downloading malware via fake crypto sites and celebrity-endorsed promotions

This tiny foldable keyboard hides a powerful Windows 11 desktop inside

Get to Know Us

Let's keep in touch