Ethical Hacking News
In 2025, APT28 launched a series of credential-harvesting attacks targeting Turkish energy and nuclear agency staff, European think tank personnel, and organizations in North Macedonia and Uzbekistan. The group used fake login pages mimicking Outlook, Google, and Sophos VPN to steal credentials, redirecting victims to real sites. APT28's tactics were regionally tailored to reflect interest in energy, defense, and government networks aligned with Russian intelligence priorities. This marked an expansion of their ongoing operations and demonstrated the group's adaptability and persistence.
APT28 (also known as UAC-0001, Fancy Bear, Pawn Storm, etc.) has been involved in a surge of cyber espionage activities targeting Turkey, Europe, North Macedonia, and Central Asia. APT28's credential-harvesting campaigns were observed by Recorded Future's Insikt Group in 2025, expanding their ongoing operations and showcasing adaptability and persistence. The group used fake login pages mimicking Outlook, Google, and Sophos VPN to carry out phishing emails with high-yield approaches to credential theft. APT28 incorporated legitimate PDF lures into their campaigns to increase authenticity, making it challenging for victims to recognize them as phishing attempts. The group used free hosting services, tunneling services, and ngrok proxies to host phishing pages, exfiltrate data, and enable redirects without detection. APT28's attacks targeted not only Google accounts but also Microsoft OWA and Sophos VPN password-reset pages, capturing victim credentials via JavaScript validation. The group demonstrated adaptability by targeting new organizations and using similar techniques in September, expanding their reach to North Macedonian military and IT firms in Uzbekistan.
The world of cyber espionage has seen a recent surge in activities by Russian-backed groups, particularly APT28 (also known as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM). In this article, we will delve into the details of these attacks, highlighting the tactics employed by APT28 to harvest credentials from various targets across Turkey, Europe, North Macedonia, and Central Asia.
In 2025, Recorded Future's Insikt Group observed APT28 running credential-harvesting campaigns, targeting a range of individuals and organizations. The group's methods were regionally tailored to reflect interest in energy, defense, and government networks aligned with Russian intelligence priorities. This marked an expansion of their ongoing operations, showcasing the group's adaptability and persistence.
One of the key tactics employed by APT28 was the use of fake login pages mimicking Outlook, Google, and Sophos VPN. These phishing emails were designed to appear legitimate, making it difficult for victims to distinguish between real and spoofed login portals. The group relied on free hosting services, tunneling services, and PDF lures to carry out their attacks.
To further increase the appearance of authenticity, APT28 incorporated legitimate PDF lure documents into their campaigns. These documents were sourced from reputable publications such as the Gulf Research Center and the EcoClimate Foundation, making it challenging for victims to recognize them as phishing attempts. The group's use of these PDF lures demonstrated a low-cost, high-yield approach to credential theft.
The attacks themselves involved redirecting victims to legitimate sites after credential theft to avoid detection. This allowed APT28 to exfiltrate stolen data without raising suspicion. The group used free hosting and tunneling services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host phishing pages, exfiltrate data, and enable redirects.
In April 2025, APT28 launched a Portuguese-language Google password-reset phishing page hosted on free domains (Byet Internet Services and InfinityFree) using ngrok proxies. This campaign reused tradecraft from previous attacks, including hidden HTML forms, JavaScript validation, and staged redirection. The use of these tactics by APT28 further highlighted their persistence in targeting specific groups.
The attacks carried out by APT28 were not limited to Google accounts alone; the group also targeted Microsoft OWA and Sophos VPN password-reset pages. On June 4, they deployed a Sophos VPN password-reset spoof page hosted on a free InfinityFree domain, capturing victim credentials via JavaScript that extracted unique identifiers from the URL and sent them to attacker-controlled endpoints before redirecting to a legitimate VPN portal.
In September, APT28 used similar techniques on OWA expired-password pages hosted on InfinityFree domains, redirecting victims to legitimate login pages of a North Macedonian military organization and an IT firm in Uzbekistan. This demonstrated the group's ability to adapt their tactics and target new organizations.
The use of ngrok proxies by APT28 allowed them to host phishing pages and exfiltrate data without being detected. The group's reliance on free hosting services, tunneling services, and PDF lures showcased a low-cost, high-yield approach to credential theft.
The Insikt Group has not previously observed BlueDelta using Google-themed credential-harvesting pages in its past campaigns; however, the consistent use of Byet and InfinityFree domains, together with ngrok for exfiltration, and additional tradecraft similarities point to a likely overlap. Based on these parallels, we assess that this activity is likely associated with BlueDelta.
APT28 has been active since at least 2007 and has targeted governments, militaries, and security organizations worldwide. The group was involved in the string of attacks that targeted the 2016 Presidential election. APT28 operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
The group has targeted dozens of Western logistics and tech firms tied to Ukraine aid, including defense, maritime, air, and rail sectors across NATO nations and Ukraine. They exploited business ties to expand access, even probing ICS makers for railway systems. Targets span 13 countries, including the U.S., Germany, and France.
In conclusion, APT28's recent credential-harvesting attacks demonstrate a rise in Russian cyber espionage. The group's use of fake login pages, PDF lures, and free hosting services to carry out their attacks highlights their adaptability and persistence. As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Credential-Harvesting-Attacks-by-APT28-A-Rise-in-Russian-Cyber-Espionage-ehn.shtml
https://securityaffairs.com/186801/apt/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations.html
Published: Mon Jan 12 04:09:39 2026 by llama3.2 3B Q4_K_M
