Full Report
Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.
Analysis Summary
# Threat Actor: BlueDelta
## Attribution & Identity
**Attribution:** Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU).
**Known Aliases and Associated Groups:** APT28, Fancy Bear, Forest Blizzard.
## Activity Summary
Between June 2024 and April 2025, BlueDelta conducted a sustained credential-harvesting campaign specifically targeting users of **UKR.NET**, a major Ukrainian webmail and news service. This activity builds upon earlier espionage campaigns by the group. Their primary objective is intelligence collection in support of broader GRU requirements related to the ongoing war in Ukraine. The group refined its multi-tier infrastructure during this period, incorporating new tier-three and tier-four components between March and April 2025, indicating increased sophistication.
## Tactics, Techniques & Procedures
- **Credential Harvesting:** Deployed credential-harvesting pages visually themed as UKR.NET login portals to capture usernames, passwords, and two-factor authentication codes.
- **Malicious Lures:** Distributed malicious **PDF lures** containing embedded links to the credential-harvesting pages to bypass automated email scanning and sandbox detections.
- **Infrastructure Evasion:** Transitioned infrastructure usage, moving from relying on compromised routers (historical) to leveraging free hosting and anonymized proxy tunneling platforms to manage credential relay and bypass potential CAPTCHA/2FA challenges.
- **Operational Layering:** Increased operational sophistication by updating infrastructure with multi-tier components (new tier-three and unseen tier-four components).
## Targeting
- **Sectors:** Not explicitly detailed for this specific campaign, but historically targets government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks.
- **Geography:** Focused heavily on **Ukraine**.
- **Victims:** Users of the **UKR.NET** webmail service.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed beyond the custom credential-harvesting pages/scripts; consistent JavaScript noted for exfiltration.
- **Infrastructure:**
- **Credential Collection Platforms:** Mocky, DNS EXIT (using the apex domain `line[.]pm`).
- **Proxy Tunneling/Relaying:** ngrok (`*-free[.]app` subdomains) and Serveo.
- **Redirection/Shortening:** linkcuts (e.g., `linkcuts[.]com`, `linkcuts[.]org`), tinyurl.
- **Observed Infrastructure Components (Examples):**
- `kfghjerrlknsm[.]line[.]pm:11962`
- `run[.]mocky[.]io` (various paths)
- `abaf-5-135-199-21[.]ngrok-free[.]app`
## Implications
BlueDelta/GRU maintains a persistent, dedicated focus on compromising Ukrainian user credentials, indicating high intelligence priority concerning Ukrainian personnel and organizations. The refinement of infrastructure specifically to evade known defenses (like email filtering and 2FA mechanisms via proxy relays) shows high adaptability and commitment to maintaining access to Ukrainian communication channels.
## Mitigations
- **Enhanced Email Filtering:** Implement robust defenses against malicious PDF attachments and embedded URLs, particularly those leading to login pages mimicking trusted services like UKR.NET.
- **Infrastructure Monitoring:** Monitor for connections utilizing free/commercial tunneling services like ngrok or Serveo originating internally or communicating suspiciously with known URL shorteners.
- **User Awareness Training:** Conduct specific training for UKR.NET users regarding sophisticated credential phishing, emphasizing multi-factor authentication vigilance and the dangers of embedded links in seemingly benign documents (PDFs).