Image by Monique Carrati, from Unsplash
Hackers Target EU Diplomats With Fake Wine Event Invites
Reading time: 2 min
Last Updated: Apr 17, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Russian hackers posing as EU officials lured diplomats with fake wine invites, deploying stealth malware GRAPELOADER in an evolving espionage campaign.
In a rush? Here are the quick facts:
- APT29 targets EU diplomats with phishing emails disguised as wine event invites.
- GRAPELOADER uses stealthier tactics than previous malware, including anti-analysis upgrades.
- Malware executes hidden code via DLL side-loading in a PowerPoint file.
Cybersecurity researchers have uncovered a new wave of phishing attacks carried out by the Russian-linked hacking group APT29, also known as Cozy Bear. The campaign, flagged by Check Point, targets European diplomats by tricking them with fake invitations to diplomatic wine tasting events.
The investigation found that attackers posed as a European Ministry of Foreign Affairs and emailed diplomats invitations that appeared official. The emails contained links that, when clicked, led to the download of malware hidden in a file named wine.zip.
This file installs a new tool called GRAPELOADER, which allows the attackers to gain a foothold in the victim’s computer. GRAPELOADER gathers system information, establishes a backdoor for further commands, and ensures the malware stays on the device even after a restart.
“GRAPELOADER refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods,” the researchers noted. The campaign also uses a newer version of WINELOADER, a backdoor known from previous APT29 attacks, which is likely used in the later stages.
The phishing emails were sent from domains impersonating real ministry officials. If the link in the email failed to trick the target, follow-up emails were sent to try again. In some cases, clicking the link redirected users to the actual Ministry website to avoid suspicion.
The infection process uses a legitimate PowerPoint file to run hidden code using a method called “DLL side-loading.” The malware then copies itself to a hidden folder, changes system settings to launch automatically, and connects to a remote server every minute to wait for further instructions.
The attackers went to great lengths to stay hidden. GRAPELOADER uses complex techniques to scramble its code, erase its tracks, and avoid detection by security software. These methods make it harder for analysts to break down and study the malware.
This campaign shows that APT29 continues to evolve its tactics, using creative and deceptive strategies to spy on government targets across Europe.
Previous Story
Latest articles 
Leave a Comment
Cancel