A Russian state-sponsored threat actor known as APT28 is believed to be involved in what is described as an “ongoing” credential harvesting campaign targeting UKR users.[.]net is a popular webmail and news service in Ukraine.
This activity was observed by Recorded Future’s Insikt Group from June 2024 to April 2025, and builds on previous research the company conducted in May 2024 detailing the hacker group’s attacks targeting European networks with the HeadLace malware and credential harvesting web pages.
APT28 is also tracked as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. It is believed to be affiliated with Russia’s General Staff of the Russian Federation (GRU).
The latest attack features the introduction of UKR[.]Net-themed login pages on legitimate services such as Mocky prompt recipients to enter their credentials and two-factor authentication (2FA) code. Links to these pages are embedded within PDF documents distributed through phishing emails.
Shorten your links using a service like tiny.[.]cc or tinyurl[.]Com. In some cases, attackers have also been observed using subdomains created on platforms such as Blogger (*.blogspot).[.]com) to launch a two-tier redirect chain leading to a credential collection page.
This effort is part of a broader phishing and credential theft operation orchestrated by adversaries since the mid-2000s, targeting government agencies, defense contractors, arms suppliers, logistics companies, and policy think tanks in pursuit of Russia’s strategic goals.
“Although this campaign does not disclose specific targets, Blue Delta’s past focus on stealing credentials that enable information collection provides strong indicators that it likely intends to collect sensitive information from users in Ukraine in support of broader GRU intelligence requirements,” the Mastercard-owned company said in a report shared with Hacker News.
What has changed is the move from using compromised routers to proxy tunneling services like ngrok and Serveo to capture and relay stolen credentials and 2FA codes.
“Blue Delta’s continued exploitation of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure destruction in early 2024,” Recorded Future said. “This campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support Russia’s intelligence-gathering operations amid Russia’s ongoing war in the country.”
Source link
