- Security researchers have spotted a new phishing campaign targeting diplomats in Europe
- The targets are invited to a high -end wine tasting event
- However, emails distribute a new charger called Grapeloader
Russian crooks use the love of diplomats for wine to distribute a new unpleasant stolen door.
A new report by cybersecurity experts Check Point Research (RCR), which has been following the campaign since the beginning of 2025, noted the infamous state threatening actor, Apt29 (Aka Cozy Bear, Midnight Blizzard) is to identify a large European foreign ministry because it sends phishing email to other diplomats continent.
E-mails, containing an invitation to a wine tasting (or a similar event), distribute two distinct malware variants: grapeload and an update version of Wineloader.
SharePoint usurpation
It is confirmed that older variants of Wineloader come from the APT29, which is how RCR concluded that the campaign belongs to the actor of the Russian threat.
The objective of the report is on the Grapeloader because it is more recent and relatively more dangerous. It acts as a charger at an initial stage and is used for fingerprints, persistence and delivery of payload. The RCR says that it uses advanced stealth methods and anti-analysis techniques and uses the DLL lateral loading vulnerabilities for execution.
Wineloader, on the other hand, is a modular stolen door used in the subsequent stages of the attack. It shares certain similarities with the Grapeloader in the structure of the code and obscure, and is delivered with improved anti-analysis characteristics.
The objectives are diplomats, located in Europe, but not of European origin. Instead, Cozy Bear focuses on the embassies of non -European countries, located in Europe. The RCR did not detail which were the targets and the success of the campaign.
The comfortable bear is considered to be affiliated with the foreign intelligence service of Russia (SVR) and is described as one of the most sophisticated and stealthy appropriate threats. He is generally responsible for collecting information, targeting government agencies (in the United States, NATO and EU countries), reflection mines and NGOs, universities, cybersecurity companies, etc.
He acquired global notoriety after the attack on Solarwinds 2020, which is now perceived as one of the most impactful supply chain attacks, compromising American federal agencies and large companies.
