Russian state-sponsored threat actor known as apt28 This has been described as a “persistent” credential-harvesting campaign targeting UKR users.[.]Net, a webmail and news service popular in Ukraine.
The activity observed by Recorded Future’s Insect Group between June 2024 and April 2025 builds on the cybersecurity company’s prior findings in May 2024, which detailed attacks by the hacking group targeting European networks with headless malware and credential-harvesting web pages.
APT28 is also tracked as BlueDelta, Fancy Bear, Forest Blizzard, FrozenLake, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. It is estimated to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The latest attacks feature UKR deployments[.]Net-themed login pages on legitimate services like Moki entice recipients to enter their credentials and two-factor authentication (2FA) codes. Links to these pages are embedded in PDF documents that are distributed via phishing emails.
Links are shortened using services like Tiny[.]cc or tinyurl[.]com. In some cases, threat actors have also been observed using subdomains created on platforms like Blogger (*.blogspot)[.]com) to launch a two-level redirect chain that leads to the credential harvesting page.
These efforts are part of a broader set of phishing and credential theft campaigns conducted by adversaries since the mid-2000s targeting government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks to further Russia’s strategic objectives.
“Although this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of potential intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements,” the MasterCard-owned company said in a report shared with The Hacker News.
The transition has shifted from using compromised routers to proxy tunneling services like Ngrok and Servio to capture and relay stolen credentials and 2FA codes.
“BlueDelta’s continued abuse of free hosting and anonymous tunneling infrastructure likely reflects an adaptive response to a Western-led infrastructure takedown as early as 2024,” Recorded Future said. “This campaign highlights the GRU’s continued interest in compromising Ukrainian user credentials to support intelligence gathering operations amid Russia’s ongoing war in Ukraine.”
