A sophisticated credential-harvesting operation conducted by BlueDelta, a Russian state-sponsored threat group linked to the GRU’s Main Directorate, targeted critical infrastructure organizations and research institutions throughout 2025, according to a comprehensive investigation by Recorded Future’s Insikt Group.
The campaign, spanning February through September 2025, represents a significant evolution in the group’s persistent credential-theft operations, with new targeting methodologies and enhanced technical capabilities.
BlueDelta, also tracked as APT28, Fancy Bear, and Forest Blizzard, deployed highly targeted phishing campaigns against personnel affiliated with a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan.
The threat actors demonstrated operational sophistication by incorporating Turkish-language content and region-specific lure materials, increasing credibility and engagement rates among targeted professional audiences.
The campaigns leveraged legitimate PDF documents as bait, including publications from the Gulf Research Center titled “Strategic and Political Implications for Israel and Iran: The Day After War” and the EcoClimate Foundation’s report on “Climate Action as a Strategic Priority for the New Pact for the Mediterranean”.
These documents were temporarily displayed to victims before presenting fraudulent login interfaces, a tactic designed to establish legitimacy and bypass automated security controls.
Multi-Stage Infrastructure Abuse
BlueDelta technical infrastructure relied heavily on free hosting and tunneling services, demonstrating the group’s continued preference for low-cost, disposable infrastructure that complicates attribution efforts.
The campaigns abused Webhook[.]site, InfinityFree, Byet Internet Services, ngrok, and ShortURL to host phishing content, capture credentials, and manage complex redirection chains.
The threat actors implemented sophisticated multi-stage redirection sequences, beginning with shortened URLs that directed victims through intermediary webhooks before presenting credential-harvesting pages.
This approach allowed BlueDelta to display legitimate PDF documents for brief periods, capture page-opened beacons containing victim email addresses and metadata, and ultimately present convincing replicas of Microsoft Outlook Web Access, Google, and Sophos VPN login interfaces.
Analysis of BlueDelta’s credential-harvesting pages revealed iterative improvements in their operational tradecraft.
The group introduced automated JavaScript functions that dynamically captured page URLs, eliminating the need for manual configuration of exfiltration endpoints.
Notably, BlueDelta updated variable naming conventions from “OldPwd” to “password” in later campaigns, demonstrating code refinement based on operational requirements.
On July 16, 2025, BlueDelta created a new credential-harvesting page using the free API service Webhook[.]site, hosted via the URL hxxps://webhook[.]site/ff237e88-cbaf-4b0b-b787-6e2f1f2c926f.
The threat actors also implemented unique 32-byte hexadecimal victim identifiers embedded in URL query strings, enabling precise tracking of individual targets throughout the credential-harvesting process.
Mitigations
The targeting patterns reflect Russian intelligence priorities in energy research, defense cooperation, and regional government communications.On June 4, 2025, BlueDelta deployed a new credential-harvesting page themed as a Sophos VPN password reset page.
Custom scripts tracked victim activity through page-opened beacons, transmitted credentials via HTTP POST requests in JSON format, and redirected victims to legitimate services after credential submission to reduce suspicion.
BlueDelta’s persistent abuse of legitimate internet services underscores the GRU’s assessment that credential harvesting remains a cost-effective method for collecting intelligence supporting Russian strategic objectives.
Organizations can mitigate exposure by implementing phishing-resistant multi-factor authentication, deny-listing free hosting and tunneling services unnecessary for business operations, and monitoring authentication attempts from proxy services or nonstandard ports.
Security teams should prioritize detection of PDF attachments containing embedded links referencing account verification or password reset themes.
Recorded Future assesses with high confidence that BlueDelta will continue credential-harvesting operations into 2026, adapting lure themes and introducing localized content to engage regional targets across sectors of strategic relevance to Russia.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.