Ethical Hacking News
Russian APT28's Sophisticated Credential-Harvesting Campaigns: Threatening Energy and Policy Organizations
Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with various organizations in Turkey, Europe, North Macedonia, and Uzbekistan. The malicious campaigns, attributed to the infamous APT28 (also known as BlueDelta) group, demonstrate the group's continued reliance on disposable services to host and relay credential data.
Learn more about how APT28 is using sophisticated phishing emails and legitimate services to target energy and policy organizations.
Russian state-sponsored threat actors, attributed to APT28 (BlueDelta), have launched credential-harvesting attacks targeting individuals in Turkey, Europe, North Macedonia, and Uzbekistan. The attacks used disposable services such as InfinityFree, Byet Internet Services, and ngrok to host phishing pages and exfiltrate stolen data. APT28's campaigns employed sophisticated attack chains that leveraged legitimate services and exploited victims' trust in Google services to bypass defenses. The group's reliance on disposable services enables them to maintain operational security while minimizing the risk of detection. APT28 targeted organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.
Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with various organizations in Turkey, Europe, North Macedonia, and Uzbekistan. The malicious campaigns, attributed to the infamous APT28 (also known as BlueDelta) group, demonstrate the group's continued reliance on disposable services to host and relay credential data.
The first campaign, launched in June 2025, deployed a credential-harvesting page mimicking a Sophos VPN password reset page hosted on infrastructure provided by InfinityFree. This bait-and-switch tactic lured victims into entering their credentials, which were then redirected to a legitimate Sophos VPN portal belonging to an unnamed European Union think tank.
The September 2025 campaign took a different approach, using credential-harvesting pages hosted on InfinityFree domains to falsely warn users of expired passwords. This ruse tricked users into entering their credentials, which were then exfiltrated to an ngrok URL. The attackers exploited the victims' trust by making the phishing emails appear legitimate.
In April 2025, APT28 conducted a campaign that used a fake Google password reset page hosted on Byet Internet Services to gather victims' credentials and exfiltrate them to an ngrok URL. This attack leveraged the victim's familiarity with Google services to bypass their defenses.
The use of disposable services such as InfinityFree, Byet Internet Services, and ngrok allows APT28 to maintain operational security while minimizing the risk of detection. The group's reliance on these services also enables them to quickly adapt and evolve their tactics, making it challenging for defenders to keep pace.
"The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences," Recorded Future's Insikt Group said. "These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities."
The campaigns have been found to lean heavily on services such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host the phishing pages, exfiltrate stolen data, and enable redirections. The attackers also used legitimate PDF lure documents, including a publication from the Gulf Research Center related to the June 2025 Iran-Israel war and a July 2025 policy briefing calling for a new pact for the Mediterranean released by climate change think tank ECCO.
In each of these campaigns, APT28 has utilized a similar attack chain that begins with a phishing email containing a shortened link. When clicked, this link redirects victims to another link hosted on webhook[.]site, which briefly displays a decoy document before redirecting to a second webhook[.]site that hosts a spoofed Microsoft OWA login page.
Present within this page is a hidden HTML form element that stores the webhook[.]site URL and uses JavaScript to send a "page opened" beacon, transmit the submitted credentials to the webhook endpoint, and ultimately redirect back to the PDF hosted on the actual website. This sophisticated attack chain demonstrates APT28's continued expertise in crafting convincing phishing emails.
APT28 has also been observed conducting three other campaigns that targeted individuals associated with various organizations in North Macedonia and Uzbekistan. These campaigns demonstrate the group's sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.
The use of legitimate services such as ngrok and InfinityFree by APT28 highlights the importance of threat actors' ability to adapt and evolve their tactics. The group's reliance on disposable services also underscores the need for defenders to maintain robust security controls and vigilance, particularly when dealing with state-sponsored threats.
As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and proactive in protecting themselves against sophisticated phishing attacks. By understanding the tactics employed by APT28 and other threat actors, defenders can develop effective countermeasures to mitigate the impact of these campaigns and protect sensitive information from falling into the wrong hands.
In conclusion, the recent credential-harvesting campaigns attributed to APT28 demonstrate the group's ongoing commitment to exploiting vulnerabilities in web-based services. By utilizing sophisticated attack chains and leveraging disposable services, APT28 has successfully targeted energy and policy organizations, highlighting the need for robust security controls and vigilance in the face of state-sponsored threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-APT28s-Sophisticated-Credential-Harvesting-Campaigns-Threatening-Energy-and-Policy-Organizations-ehn.shtml
https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html
Published: Fri Jan 9 10:26:15 2026 by llama3.2 3B Q4_K_M
