Starting January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks sweeping through European diplomatic circles. Disguised as invitations to exclusive wine-tasting events, these lures were designed to compromise high-value targets with a new backdoor, GRAPELOADER. This campaign, attributed to APT29—also known as Cozy Bear or Midnight Blizzard—is part of a broader, sustained effort to infiltrate diplomatic entities in Europe. In this talk, we will discuss the tactics employed in this campaign and previous ones, tracking how APT29’s phishing campaigns have evolved in recent years.