- Security researchers saw a new Phishing campaign aimed at diplomats in Europe
- The objectives are invited to a luxury wine tasting event
- However, emails distribute a new charger called Grapeloader
Russian scammers are using the love of diplomats for wine to distribute a new unpleasant rear door.
A new report by cybersecurity experts Check Point Research (CPR), which has been tracking the campaign since the beginning of 2025, said that the infamous actor of threats sponsored by the APT29 state (also known as Cozy Bear, Midnight Blizzard) is to impersonate an important European foreign ministry as it sends electronic emails of Phishing to other diplomats from all over the continent.
Electronic emails, which contain an invitation to a wine tasting (or a similar event), distribute two different malware variants: grapeloader and an updated version of Wineloader.
SPOOFING SHAREPOINT
It is confirmed that the oldest Wineloader variants originate in APT29, which is how RCP concluded that the campaign belongs to the Russian threat actor.
The approach to the report is in Grapeloader, since it is newer and relatively more dangerous. It acts as an initial stage charger and is used for digital footprints, persistence and delivery of payload. CPR says that it uses advanced stealth methods and anti-analysis techniques, and exploits DLL lateral load vulnerabilities for execution.
Wineloader, on the other hand, is a modular back door used in later stages of the attack. Share some similarities with grapeloader in the structure of the code and obfuscation, and comes with improved anti-analysis analysis characteristics.
The objectives are diplomatic, located in Europe, but not of European origin. Instead, Cozy Bear focuses on embassies from non -European countries, located in Europe. The CPR did not detail who the objectives were and how successful the campaign could have been.
It is believed that Cozy Bear is affiliated with the Foreign Intelligence Service (SVR) of Russia and is described as one of the most sophisticated and stealthy threat actors. In general, he has the task of collecting intelligence, addressing government agencies (in the United States, NATO countries and the EU), Think Tanks and NGOs, universities, cybersecurity companies and more.
He obtained a global notoriety after the Solarwinds 2020 attack, which is now perceived as one of the most shocking supply chain attacks, compromising federal agencies and the main US corporations.
