APT29—also known as “Cozy Bear,” a notorious threat actor linked to Russia’s Foreign Intelligence Service (SVR)—has launched a new phishing campaign aimed at European diplomatic missions.
This was revealed in a new report from Check Point Research.
This latest campaign marks a continuation of the group’s long-running cyber espionage activities, with signs of both increased sophistication and strategic targeting.
Phishing Lures Masquerade as Diplomatic Event Invitations
The phishing attacks, which started in January this year, use cunning email lures pretending to be invitations to exclusive diplomatic events. One example included an invitation to a wine-tasting evening, purportedly sent by a European Ministry of Foreign Affairs. These emails were highly polished, mimicking the tone, formatting, and language one would expect in official diplomatic correspondence.
Links to malicious HTML files hosted on compromised websites are embedded within these emails, and once opened, they initiate the infection chain that leads to the deployment of APT29’s latest custom malware.
New Loader in APT29’s Arsenal
The centerpiece of the campaign is GRAPELOADER, a new custom malware loader that appears to serve as the first stage of infection. Once executed, it collects information about the target system and establishes a foothold for follow-up stages. The loader features several enhancements over previously seen tools, including better obfuscation, stealth techniques, and anti-analysis capabilities.
Researchers note that GRAPELOADER bears structural similarities to WINELOADER, a backdoor previously attributed to APT29. The former serves as a lighter, more agile first-stage tool designed to evade detection and prepare the ground for heavier payloads later in the infection cycle.
WINELOADER Evolution
In addition to the new GRAPELOADER variant, Check Point also observed updates to WINELOADER itself. The revised features upgraded obfuscation, string decryption techniques, and stealth mechanisms. While GRAPELOADER appears to focus on reconnaissance and initial access, WINELOADER is likely responsible for command-and-control communications, data exfiltration, and maybe lateral movement.
High-Value Targets
Check Point’s analysis confirms that APT29’s targets include Ministries of foreign affairs across multiple European nations and foreign embassies operating within Europe. The attack’s geographic scope appears primarily focused on European Union countries, although evidence suggests the campaign may not be limited to that region alone.
Given APT29’s historical interest in diplomatic, governmental, and policy-related data, the motive is almost certainly espionage-related, aligning with past campaigns like the infamous SolarWinds supply chain breach and intrusions into COVID-19 vaccine research during the height of the pandemic.
Strategic Implications
This renewed activity from APT29’s adds to concerns that Russian state-aligned threat groups are motivated by intelligence gathering instead of destruction or financial gain. The group’s relentless targeting of diplomatic entities seems to be part of an ongoing campaign to keep an eye on foreign policy developments, internal government communications, and alliance dynamics within NATO and the EU.
Also, the campaign’s highly tailored phishing lures and upgraded malware tooling suggest a continued investment in cyber capabilities at the nation-state level.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.