- Security researchers discovered a new phishing -campaign that targeted diplomats in Europe
- The goals are invited to an exclusive wine tasting
- However, E -Mail distributes a new loader called grapeloader
Russian scammers use diplomat’s love for wine to distribute an ugly new back door.
A new report from CyberSecurity experts Check Point Research (CPR), which has been tracking the campaign since the beginning of 2025, noted the notorious state-sponsored threat actor APT29 (alias Cozy Bjørn, Midnight Blizzard) mimics a large European Foreign Ministry as it emits Phishing emails to other diplomats across continent.
E emails containing an invitation to a wine tasting (or a similar event) distribute two different malware variants: Grapeloader and an updated version of Wineloader.
Spoofing SharePoint
Older variants of Wineloader are confirmed to come from APT29, which is how CPR concluded that the campaign belongs to the Russian threat actor.
The focus of the report is on grapeloader as it is newer and relatively more dangerous. It acts as an initial phase loader and is used for fingerprints, persistence and the delivery of payload. CPR says it uses advanced stealth methods and anti-analysis techniques and utilizes DLL-Side-loaded vulnerabilities for execution.
Wineloader, on the other hand, is a modular back door used in later stages of the attack. It shares some similarities to grapeloads in code structure and clearing and comes with improved anti-analysis functions.
The goals are diplomats that lie in Europe, but not European origin. Instead, Cosy Bear focuses on embassies in non-European countries located in Europe. CPR did not detail who the goals were and how successful the campaign could have been.
Cozy Bear is believed to be affiliated with Russia’s Foreign Intelligence Service (SVR) and is described as one of the most sophisticated and stealthy apt threat actors out there. It is usually tasked with collecting intelligence collection, targeting government agencies (in the US, NATO countries and EU), think tanks and NGOs, universities, cyber security companies and more.
It got global notoriousness after the Solarwinds attack in 2020, which is now perceived as one of the most effective supply chain attacks ever, compromising US federal agencies and larger companies.
