A sophisticated phishing campaign targeting European diplomatic entities has been uncovered, attributed to the Russia-linked threat group APT29. The attackers impersonate a major European foreign affairs ministry, sending fake invitations to wine tasting events. The campaign employs a new loader called GRAPELOADER, which is used for initial reconnaissance and payload delivery. Additionally, a new variant of the WINELOADER backdoor has been discovered, likely used in later stages of the attack. Both malware components share similarities in code structure and obfuscation techniques. The campaign focuses on European diplomatic targets, including non-European embassies in Europe, with some indications of limited targeting outside the region.