A Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
According to Check Point Research, the campaign began in January 2025 and is being carried out by APT29 — also known as Cozy Bear or Midnight Blizzard — the same group behind the infamous SolarWinds supply chain attack. This time, their targets are embassies and foreign ministries, mostly in Europe.
The phishing emails come with a tempting subject: wine tasting. Victims are invited, seemingly by a legitimate European foreign affairs ministry, to a fake diplomatic event. But clicking the invitation link sets off a silent and dangerous infection process.
Wine, PowerPoint, and Malware
The malicious ZIP archive typically contains three files, including a PowerPoint executable (wine.exe), a bloated dummy DLL (AppvIsvSubsystems64.dll), and ppcore.dll, the newly identified GrapeLoader. Once executed, this combo quietly installs itself on the victim’s computer, achieves persistence by modifying the Windows registry, and phones home to a Command and Control server for further instructions.
“Once wine.exe is executed and the GRAPELOADER DLL is side-loaded, the malware copies the contents of the wine.zip archive to a new location on the disk,” Check Point explained. “It then gains persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots.”
From there, GrapeLoader gathers basic information like username and computer name and sends it to a C2 server, “where it waits for the next-stage shellcode to be delivered.”
Improved stealth, same old threat
What makes GrapeLoader more dangerous is how it cleverly hides itself. It uses advanced techniques to avoid detection, like masking strings in its code and only decrypting them briefly in memory before erasing them. According to Check Point, it also employs a sneaky method to dodge antivirus scans by temporarily making malicious memory pages inaccessible.
“This approach successfully defeats common automatic string extraction and deobfuscation tools like FLOSS,” Check Point stated.
The attackers also made sure the malware only activates in specific conditions. If the link in the phishing email is opened outside the expected time zone or by automated tools, it redirects users to the real foreign ministry website, making the scam even harder to detect.
Final sip
The use of GrapeLoader signals yet another evolution in APT29’s arsenal. By disguising its tools with harmless-sounding wine events and legitimate-looking software components, the group continues to blend sophistication with social engineering.
“Despite differing roles, both share similarities in code structure, obfuscation, and string decryption,” said the report. “GRAPELOADER refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods,” hinting at a deliberate and well-resourced campaign still very much in motion.
