A new credential-harvesting campaign targeting users of UKR.NET, a prominent Ukrainian webmail and news service, has been identified. The sophisticated operation is attributed to BlueDelta, a Russian state-sponsored hacker group also known by aliases such as APT28, Fancy Bear, and Forest Blizzard. This group has a long history of conducting cyberespionage operations, primarily focused on acquiring login credentials from entities vital to Russia’s intelligence and military objectives.
The malicious campaign, observed between June 2024 and April 2025, involved the creation of deceptive UKR.NET login pages. These fake portals were designed to illicitly capture usernames, passwords, and two-factor authentication codes from unsuspecting Ukrainian users. To evade detection, the attackers hosted these phishing pages on free, easily accessible web services like Mocky and DNS EXIT, which helped obscure their true origins. The initial vector for these attacks involved sending PDF files to potential victims, containing embedded links that directed them to the credential-harvesting sites. This method was employed to bypass automated email security filters and sandbox analysis tools that typically flag malicious content.
Technical Breakdown of the Credential-Harvesting Operation
Recorded Future analysts have detailed how BlueDelta adapted its tactics following the disruption of its previous infrastructure by law enforcement in early 2024. Previously, the group utilized compromised routers to facilitate its operations. However, this recent campaign saw a shift towards proxy tunneling platforms such as ngrok and Serveo. These services allowed the attackers to mask the actual location of their command-and-control servers, making attribution and takedown efforts significantly more challenging, while still enabling the capture of victim credentials.
The technical execution of the campaign involved custom JavaScript code embedded within the fake UKR.NET login pages. This script was responsible for capturing the sensitive information entered by users and transmitting it directly to servers controlled by the threat actors. The captured data included login credentials. The attackers also implemented a mechanism to relay CAPTCHA challenges back to the victims, presenting them through domains that used unusual port numbers, such as kfghjerrlknsm[.]line[.]pm:11962. Furthermore, the JavaScript code was designed to record victim IP addresses using HTTPBin, a publicly available API service, providing an additional layer of data collection.
In later iterations of the attack, BlueDelta refined its JavaScript to bypass security warnings generated by the ngrok service. By adding the line of code req.setRequestHeader(“ngrok-skip-browser-warning”, “1”);, the attackers prevented victims from seeing ngrok’s default browser warning pages. This modification aimed to enhance the legitimacy of the fake login pages, thereby reducing the likelihood of users recognizing the fraudulent nature of the site and abandoning the phishing attempt. This attention to detail highlights the group’s persistent efforts to refine its phishing techniques for maximum effectiveness.
The operational infrastructure employed by BlueDelta was notably complex, featuring a multi-tier architecture that created up to six distinct layers between the victim and the final attacker-controlled server. The initial point of contact often involved link-shortening services like TinyURL and Linkcuts. Subsequent layers hosted the credential-harvesting pages on platforms like Mocky, followed by ngrok tunneling domains. These tunneling domains ultimately connected to dedicated servers located in France and Canada. This layered approach presented a significant hurdle for security researchers and law enforcement agencies attempting to trace and dismantle the malicious infrastructure, illustrating the advanced capabilities of the BlueDelta group.
The persistence and scale of the BlueDelta operation are underscored by the findings of Recorded Future researchers, who identified over 42 different credential-harvesting chains throughout the observed campaign period. This extensive network of interconnected malicious activities demonstrates the sustained commitment of Russian intelligence to gather sensitive information from Ukrainian users amidst the ongoing conflict. The continuous evolution of their methods, from utilizing compromised routers to employing advanced proxy tunneling and sophisticated JavaScript, highlights the adaptive nature of state-sponsored cyber threats.
As BlueDelta continues to refine its techniques, users of popular Ukrainian online services should remain vigilant for suspicious login prompts and unexpected email attachments. Security experts recommend employing strong, unique passwords for all online accounts and enabling two-factor authentication wherever possible. The ongoing nature of these attacks suggests that users must maintain a high level of cybersecurity awareness to protect their personal and sensitive information from sophisticated threat actors like BlueDelta.