{
	"id": "599aa615-a02b-4fc3-9e70-b75571a7b20b",
	"created_at": "2026-04-13T02:21:43.981843Z",
	"updated_at": "2026-04-13T02:23:13.783502Z",
	"deleted_at": null,
	"sha1_hash": "e5a29147f30b180b256fa5be8e79b6096d552128",
	"title": "Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59820,
	"plain_text": "Unmasking APT29: The Sophisticated Phishing Campaign\r\nTargeting European Diplomacy\r\nBy rohann@checkpoint.com\r\nPublished: 2025-04-15 · Archived: 2026-04-13 02:16:21 UTC\r\nExecutive Summary\r\nCheck Point Research has been observing a sophisticated phishing campaign conducted by Advanced\r\nPersistent Threat (APT) 29, a Russian-linked threat group. The operation targeted diplomatic organizations\r\nthroughout Europe.\r\nThe campaign appears to continue a previous operation called Wineloader, which impersonates a major\r\nEuropean foreign affairs ministry to distribute fake invitations to diplomatic events, most commonly wine-tasting events.\r\nThe campaign, which was spread via phishing emails, used a new malware dubbed Grapeloader. A new\r\nvariant of Wineloader was also discovered, likely used in a later stage of the campaign.\r\nIntroduction\r\nCheck Point Research (CPR) identified a significant wave of targeted phishing attacks beginning in January 2025.\r\nThese attacks specifically target government officials and diplomats across Europe, employing sophisticated\r\ntechniques, tactics, and procedures (TTPs) that closely resemble those associated with a previous phishing\r\ncampaign called Wineloader, which was previously connected to APT29, a Russia-linked threat actor.\r\nTo understand APT29’s latest campaign in-depth, read Check Point Research’s comprehensive report here.\r\nAPT29, AKA Midnight Blizzard or Cozy Bear\r\nAPT29, known as Midnight Blizzard or Cozy Bear, is recognized for targeting high-profile organizations,\r\nincluding government agencies and think tanks. This group is also linked to the SolarWinds supply chain attack.\r\nIts operations range from targeted phishing campaigns to significant supply chain attacks, mostly employing\r\nvarious custom malware.\r\nAPT29 Targets European Ministries\r\nIn a recent wave of cyber attacks attributed to APT29, threat actors notably impersonated a major European\r\nforeign affairs ministry to send misleading emails inviting targets to wine-tasting events. This new phishing\r\ncampaign, which emerged approximately a year after the last Wineloader campaign, primarily targeted European\r\ndiplomatic entities, including embassies of non-European countries. When clicked, the emails contained malicious\r\nlinks that either initiated the download of a backdoor known as Grapeloader or redirected victims to the legitimate\r\nwebsite of the impersonated European foreign affairs ministry, creating a facade of legitimacy.\r\nhttps://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/\r\nPage 1 of 3\n\nInvestigators uncovered the Grapeloader variants sent to specific targets and a new variant of Wineloader. The\r\ncompilation timestamp of this Wineloader variant and its resemblance to the newly identified Grapeloader suggest\r\nthat it was likely implemented in a later phase of the attack. This progression illustrates the evolving tactics the\r\nattackers employ, showcasing their adaptability in exploiting trusted entities to deploy sophisticated malware\r\nagainst unsuspecting victims.\r\nFigure 1 – Campaign Overview\r\nPhishing Emails\r\nSeveral emails were sent from two domains, pretending to be from someone in the Ministry of Foreign Affairs.\r\nEach email had a malicious link that, when clicked, downloaded a file called wine.zip, which was the next step in\r\nthe attack. The link’s domain matched the sender’s domain. Most of these emails were themed around wine tasting\r\nevents.\r\nCheck Point Research identified several emails sent out as part of the campaign, almost all of them with the theme\r\nof a wine tasting event:\r\nEmail subjects\r\nWine Event\r\nWine Testing Event\r\nWine tasting event (update date)\r\nFor Ambassador’s Calendar\r\nDiplomatic dinner\r\nThe server hosting the link is thought to be well-protected against scanning and automated analysis tools. The\r\nmalicious download is activated only under specific conditions, such as certain times or geographic locations.\r\nConclusion\r\nhttps://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/\r\nPage 2 of 3\n\nIn conclusion, the recent targeted phishing attacks associated with APT29, also known as Midnight Blizzard or\r\nCozy Bear, highlight the increasing sophistication and adaptability of cyber threats facing governmental and\r\ndiplomatic entities.  The emergence of Grapeloader, alongside a new variant of Wineloader, underscores the\r\nevolving nature of malware, revealing more advanced stealth and evasion capabilities that pose significant\r\nchallenges for detection and prevention.\r\nCheck Point Threat Emulation and Harmony Endpoint protect organizations from threats, such as those mentioned\r\nin this blog, by identifying malicious behavior before it can impact networks. They detect unknown threats and\r\nzero-day vulnerabilities, allowing users to quickly access a secure version of files while the original files are\r\nthoroughly examined. This proactive approach enhances security by ensuring quick access to safe content and\r\neffectively identifying and managing potential threats, thereby preserving network integrity.\r\nTo understand APT29’s latest campaign in-depth, read Check Point Research’s comprehensive report here.\r\nSource: https://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/\r\nhttps://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/"
	],
	"report_names": [
		"unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy"
	],
	"threat_actors": [],
	"ts_created_at": 1776046903,
	"ts_updated_at": 1776046993,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5a29147f30b180b256fa5be8e79b6096d552128.pdf",
		"text": "https://archive.orkl.eu/e5a29147f30b180b256fa5be8e79b6096d552128.txt",
		"img": "https://archive.orkl.eu/e5a29147f30b180b256fa5be8e79b6096d552128.jpg"
	}
}