APT29, a Russia-linked threat actor also known as Cozy Bear or Midnight Blizzard, has resumed a targeted phishing campaign against European diplomats, this time leveraging fake invitations to wine-tasting events to deliver malware. The campaign, first identified in early 2024, continues to evolve in technique and persistence.
APT29, the advanced persistent threat group believed to be operating under Russia’s Foreign Intelligence Service (SVR), is once again targeting European diplomatic entities using socially engineered phishing emails disguised as invitations to exclusive diplomatic events.
According to cybersecurity researchers at Check Point, the latest wave of attacks involves malicious emails that impersonate reputable venues and foreign affairs ministries, offering invitations to fabricated wine-tasting events. The true aim of the campaign is to lure recipients into downloading a malicious archive file designed to infect their systems with a backdoor.
Evolution of the Lure
The campaign echoes earlier efforts uncovered in early 2024, when Zscaler flagged a similar operation. At that time, the attackers distributed a PDF invitation—allegedly from the Indian Ambassador—inviting diplomats to a fictitious wine-tasting event. Concurrently, German political parties were targeted with dinner reception invitations fraudulently attributed to the Christian Democratic Union (CDU).
The reappearance of these tactics suggests their effectiveness. “These types of lures are obviously working well enough,” Check Point researchers noted, as Cozy Bear continues to use diplomatic social events as pretexts for malware delivery.
Malware Delivery: From GRAPELOADER to WINELOADER
The latest phishing emails contain links that lead to the download of an archive file named wine.zip. This file hosts several Dynamic Link Library (DLL) files, including a loader now identified as GRAPELOADER. This new loader appears to have replaced ROOTSAW, a previously used HTA downloader in Cozy Bear’s arsenal.
Once executed, GRAPELOADER initiates the delivery of a variant of the WINELOADER modular backdoor. A sample of the new WINELOADER variant—uploaded to VirusTotal near the time GRAPELOADER was detected—features similar PE headers and closely matching compilation timestamps to a known DLL file (AppvIsvSubsystems64.dll), supporting the conclusion that they are part of the same attack sequence.
GRAPELOADER also uses several sophisticated anti-analysis techniques. It creates a registry key for persistence, executes malicious code directly in memory, and evades traditional endpoint security measures. The malware also employs a reconnaissance method called CollectedEnvironmentInfo to fingerprint compromised systems.
Limited Visibility into Payload
Due to the campaign’s highly targeted nature and the malware’s in-memory execution strategy, researchers were unable to retrieve or analyze the next-stage payload. This level of stealth indicates a deliberate and refined operation aimed at long-term espionage rather than broad disruption.
Conclusion
The resurgence of APT29’s campaign targeting European diplomats highlights the persistent threat posed by state-sponsored cyber actors. By adapting social engineering tactics and enhancing malware evasion techniques, Cozy Bear continues to pursue strategic intelligence-gathering operations across Europe.
Cybersecurity professionals are urged to remain vigilant, particularly in diplomatic and governmental circles, where such targeted phishing efforts are likely to continue.
You Might Be Interested In:
