Russian hackers target European diplomats by sending fake invites for wine tasting event

European diplomats have been targeted in a recent spear phishing attack in which the attackers sent a fictitious invitation to a wine tasting event.

Starting in January 2025, cybersecurity firm Check Point Research has been tracking a new wave of targeted phishing attacks aimed at European governments and diplomats.

In the recent phishing campaign, the attackers impersonated the Ministry of Foreign Affairs of a European country, sending fake invitations to diplomatic events, most commonly wine tasting. Invitations had subject lines like ‘Wine Event’, ‘Wine Tasting Event’, or ‘For Ambassador’s Calendar.’

The invitations, which were sent by email, contained a malicious web link. When clicking the link, it initiated the download of a file called ‘wine.zip’ to launch the next phase of the attack. When the first attempt to infect the victim’s device was unsuccessful, more emails were sent to increase the likelihood of compromising his machine.

According to Check Point Research, the server hosting the web link was highly protected against scanning and automated analysis solutions. The download of the malicious software was only triggered when it met certain conditions, like a specific time and geographic location. When accessed directly, the link redirected visitors to the official website of the impersonated Ministry of Foreign Affairs.

The ‘wine.zip’ file contained a legitimate PowerPoint executable called ‘wine.exe.’ When opened, the executable side-loaded a fraudulent DLL file called GRAPELOADER, which in turn created a back door that gave access to the victim’s compromised device.

Next, GRAPELOADER collected basic information about the infected machine, including the hostname and username. This data was sent to a command and control or C2 server, where it waited for the next-stage shellcode to be delivered.

Researchers also found a new variant of WINELOADER, a malicious program that was attributed to Russia-linked threat group APT29.

“Due to the links we uncovered between GRAPELOADER and WINELOADER, this suggests that WINELOADER is likely delivered in later stages of the attack,” Check Point Security concludes.

APT29, also known as Midnight Blizzard or Cozy Bear, is known for targeting high-profile organizations like Microsoft and the UK Home Office. The threat actor is also associated with the SolarWinds supply chain attack that took place in 2021.