- Security researchers spotted a new phishing campaign targeting diplomats in Europe
- The targets are invited to an upmarket wine tasting event
- However the emails distribute a new loader called GRAPELOADER
Russian scammers are using diplomats’ love for wine to distribute a nasty new backdoor.
A new report from cybersecurity experts Check Point Research (CPR), who have been tracking the campaign since early 2025, noted infamous state-sponsored threat actor APT29 (AKA Cozy Bear, Midnight Blizzard) is impersonating a major European Ministry of Foreign Affairs as it sends out phishing emails to other diplomats across the continent.
The emails, containing an invite to a wine tasting (or a similar event), distribute two distinct malware variants: GRAPELOADER and an updated version of WINELOADER.
Spoofing SharePoint
Older variants of WINELOADER are confirmed to originate from APT29, which is how CPR concluded that the campaign belongs to the Russian threat actor.
The focus of the report is on GRAPELOADER, since it’s newer and relatively more dangerous. It acts as an initial-stage loader, and is used for fingerprinting, persistence, and payload delivery. CPR says it employs advanced stealth methods and anti-analysis techniques, and exploits DLL side-loading vulnerabilities for execution.
WINELOADER, on the other hand, is a modular backdoor used in later stages of the attack. It shares some similarities with GRAPELOADER in code structure and obfuscation, and comes with improved anti-analysis features.
The targets are diplomats, located in Europe, but not European in origin. Instead, Cozy Bear focuses on embassies of non-European countries, located in Europe. CPR did not detail who the targets were, and how successful the campaign might have been.
Cozy Bear is believed to be affiliated with Russia’s Foreign Intelligence Service (SVR) and is described as one of the most sophisticated and stealthy APT threat actors out there. It is usually tasked with intelligence gathering, targeting government agencies (in the US, NATO countries, and the EU), think tanks and NGOS, universities, cybersecurity companies, and more.
It gained global notoriety after the 2020 SolarWinds attack, which is now perceived as one of the most impactful supply-chain attacks ever, compromising US federal agencies and major corporations.
Leave a comment