In April 2025, researchers revealed Russia’s APT29 (Cozy Bear) resumed phishing attacks on European diplomats, using a wine tasting invitation. The emails mimic European Ministry of Foreign Affairs correspondence and re-target diplomats who don’t respond. Links lead to a malicious file, wine.zip, dropped under specific conditions. Inside, a PowerPoint executable (wine.exe) exploits DLL side-loading to run an obfuscated loader called Grapeloader.
The emails imitate a European Ministry of Foreign Affairs and are resent if ignored, with subject lines such as “Wine tasting event (update date)” and “For Ambassador’s Calendar”. Their embedded link sits on infrastructure that withholds the malicious file unless the request arrives from the right place or at the right moment, otherwise sending the visitor to the genuine embassy website.
Grapeloader copies itself locally, sets a Windows Run key for persistence, inventories the host and polls a Cozy Bear command‑and‑control server every sixty seconds. Once contact is established the server pushes in a fresh 64‑bit Wineloader back‑door that steals data, encrypts it with RC4 and wipes its own tracks while hiding behind copious junk code.
The episode shows that European diplomatic networks remain a priority target leaving vigilance and layered defences the only reliable antidote.
