Featured

Russian Hackers Target European Diplomats with Sneaky Malware in Fake Wine Tasting Invites

Published

3 months ago

April 21, 2025

Russian state-sponsored hackers are once again shaking up Europe’s diplomatic circles, this time with wine-themed lures and a brand-new malware loader named GRAPELOADER. The cyber campaign, linked to the notorious APT29 group, appears to be targeting Ministries of Foreign Affairs and embassies across Europe—and possibly beyond.

Check Point researchers confirmed that GRAPELOADER is now being used in tandem with an improved variant of WINELOADER, a modular backdoor that’s been floating around since early 2024. Together, the two are part of a multi-layered attack chain aimed at stealthy infiltration and long-term persistence inside sensitive networks.

Wine Lures and Dirty DLLs: The Anatomy of a Deception

The emails come dressed up like harmless invites to wine-tasting events—sent from domains that look just convincing enough to slip through. But they carry ZIP archives packing a malicious payload.

The ZIP file, named “wine.zip,” contains three files. One is a legitimate PowerPoint executable, “wine.exe.” It’s harmless on its own—but here’s where the trick comes in.

The attackers exploit a technique called DLL sideloading.
They include a legitimate dependency file, “AppvIsvSubsystems64.dll,” along with a rogue DLL named “ppcore.dll.”
When “wine.exe” runs, it loads the malicious “ppcore.dll” instead of the legitimate one.

This is how GRAPELOADER sneaks in. From there, the infection begins.

GRAPELOADER Steps In Where ROOTSAW Left Off

What makes GRAPELOADER interesting isn’t just its fresh name. It’s the way it works under the hood. The malware is an initial-stage loader—it gets in first, checks the lay of the land, and prepares the system for more dangerous payloads.

It also seems to be replacing another tool, ROOTSAW, that Russian hackers used in earlier campaigns.

Unlike WINELOADER, which is more modular and used later in the attack, GRAPELOADER has a very specific job. It collects basic host information, avoids detection using obfuscation, and ensures persistence through Windows Registry changes.

One sentence here for flow.

Check Point’s report notes a clear overlap between GRAPELOADER and WINELOADER in terms of code structure and techniques—but GRAPELOADER goes a step further in dodging analysis.

Where It’s Hitting: Europe, and Possibly Beyond

Targets are primarily located across Europe, with a focus on Ministries of Foreign Affairs and diplomatic missions. But researchers aren’t ruling out a broader scope.

There’s some evidence—although still not definitive—that diplomats in the Middle East might be on the list too.

So far, emails have been traced back to two domains: bakenhof[.]com and silry[.]com. Both look legitimate enough to avoid immediate suspicion. And if someone clicks? That’s when the infection chain begins.

Interestingly, the initial attribution of these campaigns pointed to a group called SPIKEDWINE. Later analysis by Google’s Mandiant team, however, confidently tied it to APT29—also known as Cozy Bear, or Midnight Blizzard. That’s the same crew linked to Russia’s Foreign Intelligence Service.

APT29 isn’t new to the stage. But they’re getting more careful, more patient, and more effective.

Malware Evolution Table: From ROOTSAW to GRAPELOADER

Let’s take a look at how the tools have evolved:

Malware Tool	Role in Campaign	First Seen	Notable Features
ROOTSAW	Initial-stage downloader	2023	HTA-based, used for WINELOADER deployment
WINELOADER	Modular backdoor	Feb 2024	Wine-themed lures, used in mid-stage attacks
GRAPELOADER	Initial-stage loader	April 2025	Obfuscated, stealthy, Registry persistence

This evolution shows a pattern: better evasion, better targeting, and sharper payload delivery. These aren’t smash-and-grab tactics—they’re quiet, long-game operations.

Meanwhile in Ukraine: Gamaredon’s USB Infectors

Just as APT29 was busy in Europe, another Russian threat group—Gamaredon—was causing chaos in Ukraine.

French cybersecurity firm HarfangLab reported on new variants of Gamaredon’s PteroLNK malware. This one doesn’t wait around for email clicks. It spreads via USB drives and drops malicious shortcut (.lnk) files disguised as legitimate PDFs, Word docs, and spreadsheets.

Here’s the kicker: once those shortcuts are opened, they either run PteroLNK directly or pull in more malware from a remote server.

Two short sentences for pace.

Symantec also flagged the malware’s core components by their filenames:

NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms – Downloader

NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms – LNK dropper

These scripts are dynamic and tweakable. Attackers can easily modify file names, paths, registry keys, and persistence logic based on what kind of security tools are installed on the system. Flexibility is the name of the game here.

Aggression Over Subtlety: Gamaredon’s Cyber Blueprint

Gamaredon operates differently than APT29. It’s less about finesse and more about impact. They don’t mind being noisy if it means getting the job done.

Their strategy includes:

Rapid and repetitive spearphishing
Obfuscated VBScript and PowerShell payloads
Aggressive infection of removable drives
Multi-stage malware architecture
Use of long-known C2 domains without much care for exposure

While APT29 sneaks in through side doors, Gamaredon kicks them down.

And they’ve been particularly active since December 2024, flooding VirusTotal with samples from Ukraine. According to ESET, their scripts are configured to run every few minutes—three for the downloader, nine for the dropper.

It’s like a ticking time bomb, just waiting for the next USB stick to get plugged in.

Category: News
Cybersecurity, Cyberattacks, Russia, Europe, Malware

Meta Description: Russian hackers use fake wine invites to hit European diplomats with stealthy malware tools GRAPELOADER and WINELOADER in a targeted phishing surge.

URL Slug: russian-hackers-target-european-diplomats-grapeloader-wine-phishing

Image: