Russian Cyber Espionage Group APT29 Deploys New GRAPELOADER Malware Against European Diplomats

Sophisticated Phishing Campaign Targets Ministries of Foreign Affairs

A cyber espionage campaign linked to the Russian state-sponsored group APT29 — also known as Cozy Bear or Midnight Blizzard — has been uncovered by security researchers, revealing targeted attacks on diplomatic entities across Europe.

The operation leverages a newly discovered malware loader named GRAPELOADER, along with an updated variant of the previously known WINELOADER malware.

Phishing Emails Disguised as Wine-Tasting Invitations

According to Check Point Research, APT29's latest campaign uses phishing emails posing as invitations to wine-tasting events, allegedly from European Ministries of Foreign Affairs. The attackers used domains such as bakenhof[.]com and silry[.]com to send the malicious messages.

These emails contain links that download a ZIP archive titled "wine.zip", which includes:

• A legitimate PowerPoint executable named wine.exe

• A supporting DLL file (AppvIsvSubsystems64.dll)

• A malicious DLL (ppcore.dll)

  
  

When executed, the wine.exe file side-loads the malicious DLL, initiating GRAPELOADER.

Advanced Malware Capabilities and Persistence

GRAPELOADER is capable of establishing persistence by modifying the Windows Registry, ensuring that it automatically executes when the infected system reboots.

This malware collects host system information and communicates with an external command-and-control server to receive additional payloads. Researchers believe this ultimately results in the execution of WINELOADER, which replaces the previously used ROOTSAW downloader in APT29’s toolkit.

GRAPELOADER uses advanced obfuscation and anti-analysis techniques, including string encryption and runtime API resolution, to evade detection.

Primary Targets and Attribution to APT29

The campaign has been directed at Ministries of Foreign Affairs and embassies across several European countries. There is also evidence suggesting Middle Eastern diplomats may have been targeted.

APT29 is widely believed to operate under the Russian Foreign Intelligence Service (SVR) and is responsible for multiple high-profile cyber operations, including the SolarWinds supply chain attack.

Implications for Global Cybersecurity

This latest revelation is a stark reminder of the ongoing threat from state-sponsored cyber actors and the critical need for robust cybersecurity measures, particularly in protecting diplomatic communications and government infrastructure.