APT28 Conducts Credential Phishing Campaign Targeting Ukrainians

APT28, the Russian state-sponsored threat actor, has been linked to a sustained credential-harvesting campaign targeting users of UKR.net, a webmail and news service popular in Ukraine. This activity was observed by Recorded Future's Insikt Group between June 2024 and April 2025.

The group, also known as BlueDelta, Fancy Bear, and several other aliases, is assessed to be affiliated with Russia's Main Directorate of the General Staff of the Russian Federation's Armed Forces, or GRU.

The cyberattacks feature UKR.net-themed login pages deployed on legitimate services, enticing users to enter their credentials and two-factor authentication codes. These links are embedded within PDF documents sent via phishing emails, often utilizing URL shortening services like tiny.cc or tinyurl.com.

In some instances, the threat actor is using subdomains on platforms like Blogger to create a two-tier redirection chain leading to the credential harvesting page. This campaign is part of a larger set of phishing operations that APT28 has conducted since the mid-2000s, targeting various sectors including government institutions and defense contractors.

Although specific targets were not disclosed in the report, the historical focus of BlueDelta on credential theft indicates an intent to collect sensitive information from Ukrainian users to support GRU intelligence requirements.

The report notes a shift in tactics from using compromised routers to proxy tunneling services such as ngrok and Serveo, suggesting an adaptive response to infrastructure takedowns in early 2024. This campaign underlines the GRU's sustained interest in compromising Ukrainian credentials amidst ongoing conflict.