BlueDelta Hackers Expand Credential Theft Operations Targeting Microsoft OWA, Google, and Sophos VPN Users
BlueDelta, a Russian state-sponsored threat group identified as being linked to the country’s military intelligence agency, the GRU, has significantly broadened its credential-stealing activities throughout 2025. Between February and September, the group conducted multiple sophisticated phishing campaigns aimed at tricking users of Microsoft Outlook Web Access (OWA), Google services, and Sophos VPN into divulging their login credentials. These attacks represent an escalating threat to various sectors, focusing on government officials, energy sector personnel, and research professionals across Europe and Eurasia.
The recent actions by BlueDelta underscore a notable evolution in their long-standing operations, which have targeted sensitive organizations since the mid-2000s. The group’s primary focus remains on institutions involved in energy research, defense cooperation, and government communication networks. These latest campaigns highlight an increased level of sophistication, as evidenced by BlueDelta’s integration of multiple attack stages, custom malware, and the use of highly convincing lure documents designed to bypass security measures and gain victim trust.
Multi-Stage Credential Capture Mechanism by BlueDelta Hackers
According to analysis by Recorded Future, BlueDelta’s malware was identified during the second deployment phase, allowing researchers to understand the technical workings of each attack. A key element of their strategy involves leveraging free hosting services such as Webhook.site, InfinityFree, Byet Internet Services, and ngrok. These platforms are used to host fake login pages that automatically capture stolen credentials, enabling the threat actors to maintain low operational costs while preserving flexibility through easily disposable infrastructure.
The infection process meticulously orchestrated by BlueDelta is designed to collect user data through a series of calculated redirections. When a victim clicks on a phishing link, they are initially presented with legitimate PDF documents originating from organizations like the Gulf Research Center. These documents are displayed briefly, typically for around two seconds, before the page automatically redirects. This redirection leads the user to a spoofed login portal that closely mimics the authentic interfaces of Microsoft, Google, or Sophos.
At this point, malicious JavaScript functions are employed to systematically capture victim information. The code extracts email addresses directly from URL parameters. Concurrently, it dispatches a “page-opened” beacon to BlueDelta’s command server. This beacon includes crucial details such as the victim’s email address, IP address, and browser information. Subsequent to the victim entering their login credentials, additional JavaScript functions capture the entered username and password. This sensitive information is then transmitted to the attacker-controlled endpoint via HTTP POST requests.
A particularly effective tactic employed by BlueDelta is the manipulation of the URL displayed in the victim’s browser. After credentials have been submitted, the phishing page subtly alters its appearance. The URL changes from the phishing domain to display elements like “/owa/” or “/pdfviewer?pdf=browser.” This alteration creates the illusion of a legitimate application interface, further deceiving the user. Following this, the page redirects the user to either the authentic PDF document or a genuine login portal of the targeted organization, leading victims to believe they have successfully completed a standard authentication process.
The continuous refinement of these techniques by BlueDelta indicates a sophisticated understanding of user psychology and web browser behavior. This allows the group to achieve high success rates in credential harvesting while simultaneously evading detection by security systems. The ongoing nature of these operations presents a persistent threat to organizations relying on the targeted services.
Moving forward, security professionals are expected to monitor for further evolutions in BlueDelta’s tactics, techniques, and procedures, particularly as they continue to target critical infrastructure and government entities. The group’s consistent adaptation suggests that vigilance and proactive security measures will remain paramount in defending against such advanced persistent threats.