Russian state-sponsored threat group BlueDelta has conducted a sustained credential-harvesting campaign targeting users of UKR.NET, one of Ukraine’s most popular webmail and news services, between June 2024 and April 2025.
According to research by Recorded Future’s Insikt Group, the operation represents a significant escalation in the GRU-linked threat actor’s efforts to compromise Ukrainian user credentials for intelligence-gathering purposes amid Russia’s ongoing military operations in Ukraine.
The campaign builds on BlueDelta’s established tradecraft of phishing and credential theft, which has evolved considerably since earlier infrastructure takedowns by Western law enforcement agencies in early 2024.
The threat group, also known as APT28, Fancy Bear, and Forest Blizzard, has adapted its tactics by transitioning from compromised routers to sophisticated proxy tunneling platforms, including ngrok and Serveo, demonstrating the GRU’s commitment to maintaining operational continuity despite international disruption efforts.
Technical Sophistication
Insikt Group identified over 42 credential-harvesting chains deployed across multiple free web services during the investigation period.
BlueDelta leveraged Mocky API services to host fake UKR.NET login portals, coupled with free hosting providers including DNS EXIT, Byet Internet Services, and ngrok’s reverse proxy tunneling infrastructure to collect usernames, passwords, and two-factor authentication codes from victims.
The threat group’s approach demonstrates significant technical refinement. Rather than directly exposing malicious infrastructure, BlueDelta employed a multi-tiered architecture that used free domains, link-shortening services, and proxy tunnels to obscure the actual locations of its command-and-control servers.
The campaign utilized custom JavaScript designed to exfiltrate credentials, relay CAPTCHA responses, and capture victim IP addresses through HTTPBin services.
A particularly notable discovery involved PDF lures disguised as account security notifications from UKR.NET.
These documents informed targets of suspicious account activity and directed them to click embedded links for password resets.
By distributing malicious PDFs, BlueDelta effectively bypassed common email filtering and sandbox detection mechanisms designed to catch phishing attempts, a tactic reflecting the group’s understanding of enterprise security infrastructure.
Between March and April 2025, Insikt Group detected significant updates to BlueDelta’s infrastructure layering, including new tier-three and previously unseen tier-four components.
The HTML and JavaScript in the latest pages remain very similar to those previously described, except for the addition of a new line of code.
The group transitioned from DNS EXIT domains to ngrok’s free subdomains, while simultaneously operating dedicated servers in France and Canada to handle credential exfiltration and relay operations.
Analysis revealed SSH access on standard ports alongside custom HTTP services, suggesting persistent operational presence.
The discovery of typosquat domains including ukrinet[.]com and ukrainnet[.]com further indicates BlueDelta’s strategy to maintain backup infrastructure and ensure campaign continuity.
One particular innovation involved adding ngrok-skip-browser-warning HTTP headers to JavaScript code, turning off ngrok’s built-in safety warnings that might alert users to the proxy service’s presence.
Strategic Implications
BlueDelta’s sustained focus on Ukrainian user credentials aligns with documented GRU intelligence requirements.
Organizations serving Ukrainian users should implement phishing multi-factor authentication, deny-list free hosting services not critical to operations, and conduct regular security awareness training focused on fake login portals and account-themed lures.
The group has consistently targeted government institutions, defense contractors, logistics firms, and policy think tanks for more than a decade, leveraging credential theft to enable multi-phase espionage operations supporting Russia’s strategic interests.
Security researchers assess that BlueDelta will likely continue credential-harvesting operations through 2026, maintaining reliance on low-cost and anonymous web infrastructure while further diversifying hosting and redirection platforms.
The campaign underscores the persistent threat posed by state-sponsored credential theft as a cost-effective method for gaining initial access and conducting intelligence collection operations.
As threat actors continue adapting to defensive measures, organizations must maintain vigilance through continuous threat intelligence monitoring and incident response preparedness.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.