A new credential-harvesting campaign has been discovered targeting users of UKR.NET, a popular Ukrainian webmail and news platform.
The attacks are linked to BlueDelta, a Russian state-sponsored hacker group also known as APT28, Fancy Bear, and Forest Blizzard.
This group has been running operations for over ten years, focusing on stealing login credentials from government agencies, defense contractors, and other sensitive targets to support Russia’s military intelligence needs.
Between June 2024 and April 2025, the threat actors created fake UKR.NET login pages designed to steal usernames, passwords, and two-factor authentication codes from Ukrainian users.
These pages were hosted on free web services like Mocky and DNS EXIT, making them harder to trace. The hackers sent PDF files to victims containing links to these fake login portals.
This method helped them avoid detection by automated email security systems and sandbox tools that scan for malicious content.
Recorded Future analysts identified that BlueDelta changed its methods after law enforcement agencies disrupted their previous infrastructure in early 2024.
Instead of using compromised routers like before, the group switched to proxy tunneling platforms such as ngrok and Serveo. These services enabled them to conceal the actual locations of their servers while capturing victims’ credentials.
The campaign shows the persistent effort by Russian intelligence services to collect sensitive information from Ukrainian users during the ongoing conflict.
Credential-Harvesting Mechanism
The fake login pages used custom JavaScript code to steal user information and send it to attacker-controlled servers.
The code captured login credentials and relayed CAPTCHA challenges to domains with unusual port numbers like `kfghjerrlknsm[.]line[.]pm:11962`. The hackers also added code to record victim IP addresses using HTTPBin, a free API service.
.webp "BlueDelta Hackers Attacking Users of Widely Used Ukrainian Webmail and News Service 3")
In later versions, BlueDelta updated the JavaScript to disable ngrok’s browser warning page. The code line `req.setRequestHeader(“ngrok-skip-browser-warning”, “1”);` was added to prevent victims from seeing security alerts when connecting through the proxy service.
.webp "BlueDelta Hackers Attacking Users of Widely Used Ukrainian Webmail and News Service 4")
This made the fake pages appear more legitimate and reduced the chance that victims would notice anything suspicious.
The group built a multi-tier infrastructure with up to six separate layers between the victim and the final server. The first layer used link-shortening services like TinyURL and Linkcuts, while the second layer hosted the credential-harvesting pages on Mocky.
The third layer involved ngrok tunneling domains that connected to dedicated servers in France and Canada.
This complex setup made it difficult for security teams to track the attackers and shut down their operations.
Recorded Future researchers noted over 42 different credential-harvesting chains during the campaign period, showing the scale and persistence of this threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
