BlueDelta’s Persistent Campaign Against UKR.NET

Russian state-sponsored threat group BlueDelta (APT28/Fancy Bear) conducted a sustained credential-harvesting campaign targeting UKR.NET users from June 2024 to April 2025. The group distributed malicious PDF lures containing embedded links to fake login portals to bypass email scanning and sandbox detection. BlueDelta leveraged free web services including Mocky and DNS EXIT, then transitioned to proxy tunneling platforms like ngrok and Serveo to collect usernames, passwords, and two-factor authentication codes. The campaign demonstrates increased operational sophistication with multi-tier infrastructure and evolving tradecraft. This activity reflects the GRU's persistent interest in compromising Ukrainian user credentials for intelligence collection supporting Russia's ongoing military operations. BlueDelta's unique toolset and JavaScript-based exfiltration methods have not been observed in other Russian threat groups.

Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.

Russian state-sponsored threat group BlueDelta (APT28/Fancy Bear) conducted a sustained credential-harvesting campaign targeting UKR.NET users from June 2024 to April 2025. The group distributed malicious PDF lures containing embedded links to fake login portals to bypass email scanning and sandbox detection. BlueDelta leveraged free web services including Mocky and DNS EXIT, then transitioned to proxy tunneling platforms like ngrok and Serveo to collect usernames, passwords, and two-factor authentication codes. The campaign demonstrates increased operational sophistication with multi-tier infrastructure and evolving tradecraft. This activity reflects the GRU's persistent interest in compromising Ukrainian user credentials for intelligence collection supporting Russia's ongoing military operations. BlueDelta's unique toolset and JavaScript-based exfiltration methods have not been observed in other Russian threat groups. Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques. The analysis cut-off date for this report was July 30, 2025 Executive Summary Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “ GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns ,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements. Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups. BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine. Key Findings BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025. The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques. BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges. Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication. The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes. Background BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU. Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on...