The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cozy Bear Uses GRAPELOADER in Recent Phishing Campaign

Apr 21, 2025 2:15:53 PM / by The Hivemind

COZYBEARVerticals Targeted: Government, Diplomatic Entities
Regions Targeted: Europe, Middle East 
Related Families: WINELOADER, ROOTSAW

Executive Summary

A sophisticated phishing campaign by Cozy Bear, a Russia-linked threat actor, was recently observed targeting European diplomatic entities with GRAPELOADER and WINELOADER malware.

Key Takeaways

  •  In a recent campaign, Cozy Bear impersonated a European Ministry of Foreign Affairs to distribute phishing emails with malicious links to infect targets with GRAPELOADER and WINELOADER malware.
  • GRAPELOADER, a new backdoor, facilitates initial infection, fingerprinting, and persistence, replacing the ROOTSAW downloader.
  • Targets include Ministries of Foreign Affairs and embassies across Europe, with limited activity in the Middle East.

The Campaign

A sophisticated phishing campaign by Cozy Bear, a Russia-linked threat actor, was recently observed targeting European diplomatic entities with fake wine-tasting event invitations to deploy GRAPELOADER and WINELOADER malware. The campaign, active since January 2025, demonstrates advanced evasion techniques and builds on prior WINELOADER operations. Check Point Research reported on this activity. 

The targeted phishing campaign, first active in January 2025, focuses on European diplomatic entities, including Ministries of Foreign Affairs and embassies, with limited targeting of diplomats in the Middle East. The operation leverages social engineering, impersonating a major European Ministry of Foreign Affairs, to distribute phishing emails themed around wine-tasting event invitations. These emails contain malicious links that deploy GRAPELOADER, a newly observed backdoor, and a new variant of WINELOADER, a modular backdoor historically associated with Cozy Bear. The campaign’s tactics, techniques, and procedures (TTPs) align closely with a prior WINELOADER campaign from March 2024, showcasing Cozy Bear’s evolving sophistication in malware deployment and evasion.

The phishing emails, disguised as invitations to diplomatic wine-tasting events, prompt recipients to click a malicious link. In some instances, the link initiates the download of an archive containing GRAPELOADER; in others, it redirects to the legitimate website of the impersonated Ministry, enhancing the campaign’s credibility. GRAPELOADER serves as the initial infection vector, performing environment fingerprinting, establishing persistence via DLL side-loading, and retrieving next-stage payloads. Its code structure, obfuscation techniques, and string decryption mechanisms share significant similarities with the new WINELOADER variant. Notably, GRAPELOADER replaces ROOTSAW, an HTA-based downloader used in earlier campaigns, indicating a shift in Cozy Bear’s TTPs.

The WINELOADER variant retains its modular architecture, enabling data exfiltration and further payload delivery. The campaign’s infrastructure is designed to evade automated analysis, with servers hosting malicious links protected against scanning and configured to activate downloads only under specific conditions. These evasion tactics underscore Cozy Bear’s operational maturity, building on its history of high-profile attacks, including the SolarWinds supply chain compromise.

The targeting of diplomatic entities aligns with Cozy Bear’s espionage-driven objectives, historically focused on government agencies and think tanks. The campaign’s focus on Europe, with limited expansion to the Middle East, reflects strategic priorities tied to geopolitical intelligence gathering. The introduction of GRAPELOADER and refinements to WINELOADER demonstrate Cozy Bear’s adaptability, enhancing its ability to bypass detection and maintain persistence in compromised environments. 

Who is Cozy Bear?

Cozy Bear, also known as APT29, Nobelium, Dukes, Iron Hemlock, Grizzly Steppe, Cloaked Ursa, Midnight Blizzard, and TA421, is a Russia nexus threat actor group active since at least 2008. Cozy Bear focuses on espionage activities and typically targets Western governments, agencies, think tanks, and government contractors. Cozy Bear was responsible for the SolarWinds compromise in late 2020. Industry researchers have linked Cozy Bear to Russia’s Foreign Intelligence Service (SVR).

IOCs

PolySwarm has multiple samples associated with this campaign.

 

653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358

78a810e47e288a6aff7ffbaf1f20144d2b317a1618bba840d42405cddc4cff41

d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164

adfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8

 

You can use the following CLI command to search for all GRAPELOADER samples in our portal:

$ polyswarm link list -f GrapeLoader

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Russia, Threat Bulletin, Cozy Bear, GRAPELOADER

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More