Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan.
The activity has been attributed to APT28 (aka BlueDelta), which was attributed to a “sustained” credential-harvesting campaign targeting users of UKR[.]net last month. APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
“The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences,” Recorded Future’s Insikt Group said. “These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.”
The cybersecurity company described the attacks as targeting a small but distinct set of victims in February and September 2025, with the campaign leveraging fake login pages that were styled to resemble popular services like Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals.
The efforts are noteworthy for the fact that unsuspecting users are redirected to the legitimate sites after the credentials are entered on the bogus landing pages, thereby avoiding raising any red flags. The campaigns have also been found to lean heavily on services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host the phishing pages, exfiltrate stolen data, and enable redirections.
In a further attempt to lend them a veneer of legitimacy, the threat actors are said to have used legitimate PDF lure documents, including a publication from the Gulf Research Center related to the June 2025 Iran-Israel war and a July 2025 policy briefing calling for a new pact for the Mediterranean released by climate change think tank ECCO.
The attack chain starts with a phishing email containing a shortened link that, when clicked, redirects victims to another link hosted on webhook[.]site, which briefly displays the decoy document for about two seconds before redirecting to a second webhook[.]site that hosts a spoofed Microsoft OWA login page.
Present within this page is a hidden HTML form element that stores the webhook[.]site URL and uses JavaScript to send a
“page opened” beacon, transmit the submitted credentials to the webhook endpoint, and ultimately redirect back to the PDF hosted on the actual website.
APT28 has also been observed conducting three other campaigns –
- A June 2025 campaign that deployed a credential-harvesting page mimicking a Sophos VPN password reset page hosted on infrastructure provided by InfinityFree to harvest credentials entered into the form and redirect victims to a legitimate Sophos VPN portal belonging to an unnamed E.U. think tank
- A September 2025 campaign that used credential-harvesting pages hosted on InfinityFree domains to falsely warn users of expired passwords to trick them into entering their credentials and redirect to a legitimate login page associated with a military organization in the Republic of North Macedonia and an IT integrator based in Uzbekistan
- An April 2025 campaign that used a fake Google password reset page hosted on Byet Internet Services to gather victims’ credentials and exfiltrate them to an ngrok URL
“BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data,” the Mastercard-owned company said. “These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.”
