APT28, also known by aliases such as Fancy Bear and BlueDelta, is a Russian military intelligence-linked threat actor with a long history of cyber espionage targeting government, defense, and strategic sectors. Between June 2024 and April 2025, APT28 executed a prolonged credential phishing campaign aimed at users of UKR.net, a widely used Ukrainian webmail and news platform. The campaign involves sending phishing emails containing PDF attachments with embedded links leading to counterfeit UKR.net login pages hosted on legitimate platforms like Mocky, Blogger subdomains, and URL shorteners (tiny.cc, tinyurl.com). These pages solicit both user credentials and two-factor authentication codes, increasing the likelihood of successful account compromise. The adversary’s infrastructure evolved from using compromised routers to leveraging anonymized tunneling services such as ngrok and Serveo, likely as a countermeasure to Western infrastructure takedowns in early 2024. This campaign fits within APT28’s broader espionage operations targeting Ukrainian institutions and entities linked to defense, logistics, and policy, aiming to collect sensitive information to support Russia’s strategic military objectives. The phishing effort is sophisticated, using multi-stage redirection and legitimate hosting services to evade detection and increase credibility. Although no direct malware deployment is reported in this campaign, the theft of credentials and 2FA tokens enables persistent access and intelligence collection. The campaign underscores the persistent cyber threat posed by state-sponsored actors in the context of the Russia-Ukraine conflict and highlights the need for robust credential security and threat monitoring.

For European organizations, especially those with ties to Ukraine or operating in sectors related to government, defense, logistics, or policy, this campaign poses a significant risk of credential compromise leading to unauthorized access, espionage, and potential disruption. Compromised credentials can facilitate lateral movement within networks, data exfiltration, and sabotage. The use of stolen 2FA codes undermines multi-factor authentication, increasing the risk of account takeover. Given the geopolitical context, organizations supporting Ukraine or hosting Ukrainian diaspora may be targeted or collateral victims. The campaign’s use of legitimate hosting and anonymized tunneling complicates detection and response efforts, potentially allowing attackers to maintain persistence and evade takedowns. Additionally, the campaign’s techniques could be adapted to target other European entities, increasing the threat surface. The medium severity rating reflects the campaign’s focused targeting and reliance on social engineering rather than direct exploitation of software vulnerabilities, but the potential for significant intelligence loss and operational impact remains high.

1. Implement advanced email filtering solutions capable of detecting and quarantining phishing emails with embedded PDFs and suspicious links, including those using URL shorteners and multi-stage redirection. 2. Conduct targeted user awareness training emphasizing the identification of phishing attempts, especially those impersonating trusted services like UKR.net, and the risks of entering credentials on unexpected login pages. 3. Enforce strict multi-factor authentication policies using methods resistant to interception, such as hardware security keys (FIDO2/WebAuthn), rather than SMS or OTP codes vulnerable to phishing. 4. Monitor authentication logs for anomalous login attempts, including unusual IP addresses, rapid successive attempts, or use of credentials shortly after phishing campaigns. 5. Employ threat intelligence feeds to identify and block known malicious domains, URLs, and infrastructure associated with APT28 and related campaigns. 6. Harden webmail and related services by implementing anti-phishing technologies such as DMARC, DKIM, and SPF to reduce email spoofing. 7. Collaborate with hosting providers and URL shortening services to report and take down phishing infrastructure promptly. 8. Regularly review and update incident response plans to include scenarios involving credential theft and phishing campaigns linked to state-sponsored actors. 9. For organizations with Ukrainian connections, increase vigilance and coordinate with national cybersecurity centers for threat sharing and support.