Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations - The Hacker News

Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations Ravie LakshmananJan 09, 2026Email Security / Threat Intelligence Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The activity has been attributed to APT28 (aka BlueDelta), which was tied to a "sustained" credential-harvesting campaign targeting users of UKR[.]net last month. APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences," Recorded Future's Insikt Group said. "These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities." The cybersecurity company described the attacks as targeting a small but distinct set of victims in February and September 2025, with the campaign leveraging fake login pages that were styled to resemble popular services like Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. The efforts are noteworthy for the fact that unsuspecting users are redirected to the legitimate sites after the credentials are entered on the bogus landing pages, thereby avoiding raising any red flags. The campaigns have also been found to lean heavily on services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host the phishing pages, exfiltrate stolen data, and enable redirections. In a further attempt to lend them a veneer of legitimacy, the threat actors are said to have used legitimate PDF lure documents, including a publication from the Gulf Research Center related to the June 2025 Iran-Israel war and a July 2025 policy briefing calling for a new pact for the Mediterranean released by climate change think tank ECCO. The attack chain starts with a phishing email containing a shortened link that, when clicked, redirects victims to another link hosted on webhook[.]site, which briefly displays the decoy document for about two seconds before redirecting to a second webhook[.]site that hosts a spoofed Microsoft OWA login page. Present within this page is a hidden HTML form element that stores the webhook[.]site URL and uses JavaScript to send a "page opened" beacon, transmit the submitted credentials to the webhook endpoint, and ultimately redirect back to the PDF hosted on the actual website. APT28 has also been observed conducting three other campaigns - A June 2025 campaign that deployed a credential-harvesting page mimicking a Sophos VPN password reset page hosted on infrastructure provided by InfinityFree to harvest credentials entered into the form and redirect victims to a legitimate Sophos VPN portal belonging to an unnamed E.U. think tank A September 2025 campaign that used credential-harvesting pages hosted on InfinityFree domains to falsely warn users of expired passwords to trick them into entering their credentials and redirect to a legitimate login page associated with a military organization in the Republic of North Macedonia and an IT integrator based in Uzbekistan An April 2025 campaign that used a fake Google password reset page hosted on Byet Internet Services to gather victims' credentials and exfiltrate them to an ngrok URL "BlueDelta's consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data," the Mastercard-owned company said. "These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  APT28, cloud services, Credential Theft, cybersecurity, email security, Phishing, Threat Intelligence Trending News Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Load More ▼ Popular Resources Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Fix Security Noise by Focusing Only on Validated Exposures