A new report indicates that a hacking group with suspected ties to Russia has launched a sophisticated phishing operation targeting European diplomats. The scheme involves invitations to fictitious wine tasting events.

Cybersecurity firm reports that the APT29 group is attempting to mimic a major European Ministry of Foreign Affairs. They are sending invitations to these fake events, enticing recipients to click a link that deploys a new backdoor malware called GRAPELOADER.

According to the advisory, the campaign is focused on European diplomatic entities, including embassies of non-European nations located in Europe. The malicious emails use subject lines like “Wine tasting event (update date),” “For Ambassador’s Calendar,” and “Diplomatic dinner.”

The previously identified APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear, as a cyber espionage group likely linked to the SVR, a component of Russian intelligence services.

 

Check Point Research stated that APT29 is known for targeting prominent organizations such as government agencies and think tanks. Their operations range from to sophisticated supply chain attacks, utilizing a variety of custom and commercial malware.

The new campaign specifically targets multiple , with a focus on Ministries of Foreign Affairs and other countries’ embassies in Europe. Limited targeting outside of Europe, including diplomats based in the Middle East, has also been observed.

Check Point Research indicates that these phishing attacks began in January of this year.

 

The firm noted that if the initial phishing attempt failed, follow-up emails were sent to increase the chances of a successful compromise.

The server hosting the malicious link is believed to be heavily protected against scanning and automated analysis. The malicious download is triggered only under specific conditions, such as specific times or geographic locations. Direct access to the link redirects to the official website of the impersonated Ministry of Foreign Affairs.

It remains unclear whether any of these phishing attacks were successful.