GRU-Linked BlueDelta Evolves Credential Harvesting
Summary:
Between February and September 2025, the Russian state-sponsored threat group BlueDelta (aka APT28, Fancy Bear, Forest Blizzard), attributed to the GRU, executed a sophisticated credential harvesting campaign targeting strategic entities in Turkey and Europe. The operations distinctly targeted individuals linked to a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan, according to Recorded Future. These targets align with Russia’s broader intelligence gathering objectives. The group deployed phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. A key evolution in their TTPs involves the integration of legitimate PDF lure documents, like the observed report from the Gulf Research Center and the EcoClimate Foundation, directly into the attack chain. The attack flow typically utilizes a shortened URL directing the victim to a webhook[.]site page that displays the legitimate PDF for a few seconds to establish credibility before redirecting to the actual credential harvesting page.
The campaign relies heavily on the abuse of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host content and exfiltrate data. BlueDelta employed custom JavaScript to enhance operational efficiency. Scripts were used to harvest email addresses from URL parameters, send "page_opened" beacons to track victim engagement, and dynamically populate hidden form fields with exfiltration URLs, reducing the administrative overhead for the adversary. Upon submission of credentials, victims were often redirected to the actual legitimate websites or PDF sources to minimize early detection.
Security Officer Comments:
BlueDelta’s observed tradecraft demonstrates a refined approach to social engineering and infrastructure management. The reliance on the free webhook[.]site and ngrok for both hosting and exfiltration creates distinct domains that can be deny-listed. If required for the business, strictly monitor these services. Note that the analysis cut-off date for this report was September 11, 2025.
Their shift to include custom JavaScript for handling exfiltration URLs indicates the group is actively polishing its toolkit for rapid deployment and scalability. Defenders should tune email gateways to flag links redirecting to these free hosting providers, especially when embedded in emails thematically related to geopolitical or energy sector research. The targeting of Turkish nuclear research and European think tanks underscores the GRU's continued focus on non-NATO and NATO-adjacent targets.
Suggested Corrections:
IOCs: https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting
Implement specific protective measures:
https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting
Between February and September 2025, the Russian state-sponsored threat group BlueDelta (aka APT28, Fancy Bear, Forest Blizzard), attributed to the GRU, executed a sophisticated credential harvesting campaign targeting strategic entities in Turkey and Europe. The operations distinctly targeted individuals linked to a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan, according to Recorded Future. These targets align with Russia’s broader intelligence gathering objectives. The group deployed phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. A key evolution in their TTPs involves the integration of legitimate PDF lure documents, like the observed report from the Gulf Research Center and the EcoClimate Foundation, directly into the attack chain. The attack flow typically utilizes a shortened URL directing the victim to a webhook[.]site page that displays the legitimate PDF for a few seconds to establish credibility before redirecting to the actual credential harvesting page.
The campaign relies heavily on the abuse of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host content and exfiltrate data. BlueDelta employed custom JavaScript to enhance operational efficiency. Scripts were used to harvest email addresses from URL parameters, send "page_opened" beacons to track victim engagement, and dynamically populate hidden form fields with exfiltration URLs, reducing the administrative overhead for the adversary. Upon submission of credentials, victims were often redirected to the actual legitimate websites or PDF sources to minimize early detection.
Security Officer Comments:
BlueDelta’s observed tradecraft demonstrates a refined approach to social engineering and infrastructure management. The reliance on the free webhook[.]site and ngrok for both hosting and exfiltration creates distinct domains that can be deny-listed. If required for the business, strictly monitor these services. Note that the analysis cut-off date for this report was September 11, 2025.
Their shift to include custom JavaScript for handling exfiltration URLs indicates the group is actively polishing its toolkit for rapid deployment and scalability. Defenders should tune email gateways to flag links redirecting to these free hosting providers, especially when embedded in emails thematically related to geopolitical or energy sector research. The targeting of Turkish nuclear research and European think tanks underscores the GRU's continued focus on non-NATO and NATO-adjacent targets.
Suggested Corrections:
IOCs: https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting
Implement specific protective measures:
- Enforce strong, unique passwords and enable multi-factor authentication (MFA), prioritizing phishing-resistant methods such as hardware or app-based authenticators
- Deny-list free hosting and tunneling services not required for business operations, including Webhook[.]site, InfinityFree, Byet Internet Services, ngrok, and ShortURL
- Monitor email and web gateway logs for PDF attachments or embedded links referencing account verification, password resets, or login issues
- Track authentication attempts from proxy services or nonstandard ports, particularly those associated with ngrok tunnels
- Conduct regular phishing awareness training focused on fake login portals and security-themed lures
- Maintain an incident response plan for credential compromise, including defined escalation, account reset, and containment procedures
- Periodically review external service dependencies to ensure no unnecessary exposure to free or unvetted web services
https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting