APT28, the Russian state-sponsored threat actor also tracked as BlueDelta, Fancy Bear, and Sofacy, has been linked to a sustained credential-harvesting campaign targeting users of UKR[.]net, a prominent Ukrainian webmail and news service. Recorded Future’s Insikt Group observed the activity between June 2024 and April 2025, building on earlier findings from May 2024 that detailed the group’s attacks against European networks using HeadLace malware and credential-harvesting web pages. APT28 is assessed to be affiliated with Russia’s Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU) and has maintained a consistent focus on obtaining sensitive information from strategic targets.
The latest campaign employs phishing emails embedding PDF documents that include links to UKR[.]net-themed login pages hosted on legitimate services such as Mocky. These pages request users’ credentials and two-factor authentication codes, with the links often shortened using platforms like tiny[.]cc or tinyurl[.]com to obscure their true destination. In some instances, the threat actor has also utilized subdomains on services like Blogger (*.blogspot[.]com), creating a two-tier redirection chain that funnels unsuspecting users to the credential-harvesting pages. This method illustrates the group’s ability to blend into legitimate infrastructure while maintaining operational effectiveness and evading casual detection.
APT28’s operations are part of a broader set of phishing and credential theft activities conducted since the mid-2000s, historically targeting government entities, defense contractors, weapons suppliers, logistics firms, and policy think tanks. While Recorded Future’s report does not identify individual victims in this campaign, the company notes that BlueDelta’s longstanding focus on credential theft signals an intention to collect sensitive information from Ukrainian users to support broader GRU intelligence objectives. Researchers emphasize that the campaign aligns with Russia’s ongoing strategic efforts to gather intelligence in the context of the conflict in Ukraine.
An observable shift in tactics distinguishes this campaign from earlier activity. Previously, APT28 relied on compromised routers to relay stolen credentials, but the group now leverages proxy tunneling services such as ngrok and Serveo to capture and transmit credentials and two-factor authentication codes. According to Recorded Future, this adaptation likely reflects a response to Western-led infrastructure takedowns in early 2024. The ongoing use of free hosting and anonymized tunneling demonstrates the group’s persistence and adaptability, highlighting a continued GRU interest in exploiting Ukrainian webmail and online services to support intelligence collection. This sustained activity underscores the evolving nature of state-sponsored cyber operations targeting critical communications and information channels in the region.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
