GRU-Linked BlueDelta Evolves Credential Harvesting

Russian state-sponsored threat group BlueDelta (also known as APT28/Fancy Bear/Forest Blizzard), linked to the GRU, expanded credential-harvesting campaigns from February to September 2025 targeting government, energy, and research organizations in Europe and Eurasia, including entities in Turkey, North Macedonia, and Uzbekistan. The group deployed phishing pages impersonating Microsoft Outlook Web Access, Google, and Sophos VPN services, leveraging free hosting infrastructure like Webhook.site, InfinityFree, Byet Internet Services, and ngrok. Campaigns incorporated legitimate PDF documents from research organizations as lures to enhance credibility and bypass security controls. BlueDelta utilized customized JavaScript to capture credentials and automate redirections to legitimate sites, demonstrating sophisticated tradecraft. Organizations in energy research, defense cooperation, and government communication sectors should prioritize multi-factor authentication, user awareness training, and monitoring for suspicious login patterns.

Insikt Group reveals how GRU-linked BlueDelta evolved credential-harvesting campaigns targeting government, energy, and research organizations across Europe and Eurasia.

Russian state-sponsored threat group BlueDelta (also known as APT28/Fancy Bear/Forest Blizzard), linked to the GRU, expanded credential-harvesting campaigns from February to September 2025 targeting government, energy, and research organizations in Europe and Eurasia, including entities in Turkey, North Macedonia, and Uzbekistan. The group deployed phishing pages impersonating Microsoft Outlook Web Access, Google, and Sophos VPN services, leveraging free hosting infrastructure like Webhook.site, InfinityFree, Byet Internet Services, and ngrok. Campaigns incorporated legitimate PDF documents from research organizations as lures to enhance credibility and bypass security controls. BlueDelta utilized customized JavaScript to capture credentials and automate redirections to legitimate sites, demonstrating sophisticated tradecraft. Organizations in energy research, defense cooperation, and government communication sectors should prioritize multi-factor authentication, user awareness training, and monitoring for suspicious login patterns. Insikt Group reveals how GRU-linked BlueDelta evolved credential-harvesting campaigns targeting government, energy, and research organizations across Europe and Eurasia. The analysis cut-off date for this report was September 11, 2025 Executive Summary Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report . Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities. BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection. BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives. Key Findings BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals. The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data. Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls. BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency. Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities. Background BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the...