The Russia-linked threat actor APT29 is behind a new wave of phishing attacks targeting European diplomats, using enticing wine-themed invitations as a lure to deploy newly developed backdoor malware.
According to Check Point Research, the campaign marks a continuation of last year’s WineLoader phishing operation, which used fake wine-tasting invitations to spread malware. However, the current attacks differ in two critical ways: the scope of targets and the malware deployed.
This time, APT29—also known as Midnight Blizzard, Nobelium, and Cozy Bear—is impersonating the Ministry of Foreign Affairs to target various European diplomatic institutions, including embassies of non-European countries. In contrast, last year’s WineLoader campaign focused more narrowly on European Union (EU) officials and Indian diplomatic missions.
Instead of the previously used WineLoader malware, the new campaign introduces GrapeLoader—a stealthy backdoor. Researchers also observed an updated version of WineLoader used later in the attack sequence.
WineLoader 2.0 and GrapeLoader Campaign
The latest campaign was first detected in January 2025, about a year after the original WineLoader attacks. The phishing emails were sent from two domains, each themed around wine-tasting events and containing a malicious link. When clicked, the link downloaded a ZIP file called wine.zip, which included:
wine.exe: a legitimate PowerPoint executable exploited via DLL side-loading,AppvIsvSubsystems64.dll: a required dependency for the PowerPoint app,ppcore.dll: an obfuscated DLL acting as the GrapeLoader backdoor.
This DLL delivers the GrapeLoader payload and possibly reintroduces WineLoader in subsequent stages. Some emails also redirected users to the genuine Ministry of Foreign Affairs website to appear authentic.
Check Point highlights the evolving sophistication of APT29’s tactics, especially in mimicking trusted institutions to deliver advanced malware payloads.
GrapeLoader’s Capabilities and APT29 Tactics
APT29 is known for high-profile campaigns, including the SolarWinds supply-chain breach. The group frequently blends custom and off-the-shelf malware in its operations targeting governments, think tanks, and diplomatic entities.
GrapeLoader ensures persistence by modifying the Windows Registry’s Run key, allowing the malware to execute at every system reboot. Once active, it collects basic system data (e.g., hostname and username) and sends it to a command and control (C2) server, awaiting further instructions or shellcode.
The C2 infrastructure is heavily protected—configured to resist scans and sandbox analysis. Activation of the payload is likely restricted to specific timeframes or geolocations, limiting exposure to security researchers.
Strengthening Defenses Against APT Threats
Given APT29’s reputation for advanced persistent threats, Check Point urges heightened vigilance among potential targets. This includes running threat emulation tools, endpoint protection, and behavioral analysis systems that can detect sophisticated threats and unknown malware variants.
Experts also emphasize that users should treat unsolicited event invitations with caution—especially those requesting link clicks or file downloads. Suspicious emails should be carefully inspected or deleted outright to avoid falling prey to phishing campaigns.
