![31 Top Social Media Platforms in 2025 [+ Marketing Tips]](https://static.semrush.com/blog/uploads/media/0b/40/0b40fe7015c46ea017490203e239364a/most-popular-social-media-platforms.svg)
![[Weekly funding roundup April 12-18] VC inflow declines to 2nd lowest level for the year](https://images.yourstory.com/cs/2/220356402d6d11e9aa979329348d4c3e/WeeklyFundingRoundupNewLogo1-1739546168054.jpg)
European diplomats targeted by Russian phishing campaign promising fancy wine tasting
APT29 is targeting diplomats with a new backdoor, luring them with the promise of fine wine tasing.
- Security researchers spotted a new phishing campaign targeting diplomats in Europe
- The targets are invited to an upmarket wine tasting event
- However the emails distribute a new loader called GRAPELOADER
Russian scammers are using diplomats’ love for wine to distribute a nasty new backdoor.
A new report from cybersecurity experts Check Point Research (CPR), who have been tracking the campaign since early 2025, noted infamous state-sponsored threat actor APT29 (AKA Cozy Bear, Midnight Blizzard) is impersonating a major European Ministry of Foreign Affairs as it sends out phishing emails to other diplomats across the continent.
The emails, containing an invite to a wine tasting (or a similar event), distribute two distinct malware variants: GRAPELOADER and an updated version of WINELOADER.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Spoofing SharePoint
Older variants of WINELOADER are confirmed to originate from APT29, which is how CPR concluded that the campaign belongs to the Russian threat actor.
The focus of the report is on GRAPELOADER, since it’s newer and relatively more dangerous. It acts as an initial-stage loader, and is used for fingerprinting, persistence, and payload delivery. CPR says it employs advanced stealth methods and anti-analysis techniques, and exploits DLL side-loading vulnerabilities for execution.
WINELOADER, on the other hand, is a modular backdoor used in later stages of the attack. It shares some similarities with GRAPELOADER in code structure and obfuscation, and comes with improved anti-analysis features.
The targets are diplomats, located in Europe, but not European in origin. Instead, Cozy Bear focuses on embassies of non-European countries, located in Europe. CPR did not detail who the targets were, and how successful the campaign might have been.
Cozy Bear is believed to be affiliated with Russia’s Foreign Intelligence Service (SVR) and is described as one of the most sophisticated and stealthy APT threat actors out there. It is usually tasked with intelligence gathering, targeting government agencies (in the US, NATO countries, and the EU), think tanks and NGOS, universities, cybersecurity companies, and more.
It gained global notoriety after the 2020 SolarWinds attack, which is now perceived as one of the most impactful supply-chain attacks ever, compromising US federal agencies and major corporations.
You might also like
- Hackers linked to Russian government found using some very familiar malware tools
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
![How to Find Low-Competition Keywords with Semrush [Super Easy]](https://static.semrush.com/blog/uploads/media/73/62/7362f16fb9e460b6d58ccc09b4a048b6/how-to-find-low-competition-keywords-sm.png)
