A group of hackers has recently launched new credential-harvesting attacks against people connected with a Turkish nuclear research agency, an EU-based think tank, and several companies working in North Macedonia and Uzbekistan.
The hacking group APT28 (or Blue Delta) is believed to be behind these operations. This attack follows a previous, long-running phishing operation against UKR[.]net users, demonstrating that credential theft is still one of the primary methods of collecting intelligence employed by this group.
Highly Customized Lures and Area-Specific Targeting
As reported by Recorded Future's Insikt Group, these attackers have shown great operational customization through their use of Turkish/English lures and area-specific themes designed to increase their perceived level of credibility within their target audience.
The researchers say that the attack reflects continued interest in organizations involved in energy research, defense collaboration and communication networks used by governments, which are of particular interest to the Russian intelligence community.
The two campaigns took place in February and September 2025, and targeted a very small number of individuals strategically chosen for their importance as opposed to targeting large distribution lists.
Sophisticated Phishing Infrastructure
A sophisticated phishing scheme existed, where users were sent to a fake login page that looked similar to the legitimate one such as:
1. Microsoft’s OWA
2. Google’s Login Page
3. Sophos’ VPN Login Page
The interesting part of how they went about conducting this phish was the ability to redirect users seamlessly after entering their credentials, thereby not raising a lot of suspicions and making it less visible to users that they had fallen victim to the phish.
APT28 abused legitimate infrastructure as well as disposable services to host their phishing pages and steal credentials. Those services are:
1. Webhook.site
2. InfinityFree
3. Byet Internet Services
4. Ngrok
All of these services allowed APT28 to send stolen credentials to them, create a “page opened” beacon for them, and create multi-step redirects to assist in their phishing efforts.
Use of Legitimate Policy Documents as Decoys
To maximize the likelihood of success in achieving their objectives, the actors behind these exploits relied on using actual policy documents from legitimate agencies as bait for phishing.
The following two policy publications were included in this effort:
1. Gulf Research Center publication detailing the June 2025 Iran–Israel conflict
2. ECCO Mediterranean policy briefing published July 2025 by the climate think tank ECCO
One of the observed attack chains included victims clicking on a shortened link that opened a PDF containing the actual Gulf Research Center publication linked above; upon accessing the PDF, the victim was redirected to a spoofed Webhook[.] site login form. The attackers used hidden HTML elements and JavaScript to capture victim credentials and sell them to the attackers through compromised websites.
APT28 has also carried out a number of credential harvesting campaigns unrelated to the use of fake policy publications as bait.
The following campaigns were carried out by APT28 that we have observed thus far:
1. In June 2025, the spoofed Sophos VPN password reset page targeting European think tanks.
2. In September 2025, the expired password phishing campaign directed toward military and IT sectors operating in North Macedonia and Uzbekistan.
3. In April 2025, the fake Google password reset phishing hosted on Byet infrastructure with exfiltration of information through ngrok.
As reported by Recorded Future, the abuse of legitimate Internet service providers by BlueDelta reflects the group's patience and investment in utilizing low-cost, disposable platforms for use as a means to collect intelligence.
The ongoing credential harvesting efforts of APT28 demonstrates the fact that the GRU considers credential harvesting as a high-yield intelligence collection method that will allow them to obtain continued access to sensitive military and government communications as well as energy sector intelligence.
Source: The Hacker News
