Between February and September 2025, the Russian state-sponsored threat actor BlueDelta, associated with the GRU, executed multiple credential harvesting campaigns focused on individuals linked to energy research, defense cooperation, and government communication networks. The campaigns targeted regions including Turkey, Europe, North Macedonia, and Uzbekistan. BlueDelta employed sophisticated phishing techniques by impersonating legitimate webmail and VPN services to deceive victims into divulging credentials. They utilized free hosting platforms and tunneling services to host phishing pages, which helped evade detection and reduce operational costs. The campaigns incorporated PDF lures—malicious or socially engineered PDF documents—and customized JavaScript to increase the realism and operational efficiency of the phishing sites, thereby improving the likelihood of successful credential capture. The threat actor’s use of tunneling services (T1102), phishing (T1593), and credential harvesting (T1056.002) techniques aligns with known espionage tactics aimed at intelligence collection. Indicators of compromise include several suspicious domains such as account-security-googie.my-board.org and IP addresses including 185.27.134.125 and 172.111.206.103, the latter associated with UK-based cloud services. Although no known exploits are currently active in the wild, the campaign’s targeting of critical sectors and use of advanced social engineering techniques highlight a persistent threat to sensitive European entities. The medium severity rating reflects the potential impact on confidentiality and the moderate complexity of exploitation, requiring user interaction but no advanced technical exploitation.

The BlueDelta campaigns pose a significant threat to European organizations involved in critical infrastructure sectors such as energy research and defense cooperation, as well as government communication networks. Successful credential harvesting can lead to unauthorized access to sensitive systems, enabling espionage, data exfiltration, and potential disruption of critical services. Compromised credentials may facilitate lateral movement within networks, increasing the risk of further intrusions or sabotage. The use of legitimate-looking phishing lures and customized JavaScript increases the likelihood of user compromise, potentially affecting a wide range of personnel from technical staff to senior officials. For European organizations, this could result in loss of intellectual property, exposure of classified information, and undermining of national security interests. The involvement of UK-hosted infrastructure in the campaign also raises concerns about supply chain and cloud service provider risks. The medium severity indicates a moderate but credible threat that could escalate if combined with other attack vectors or exploited in targeted operations.

European organizations should implement targeted anti-phishing training focused on recognizing sophisticated lures such as PDF attachments and fake VPN or webmail login pages. Deploy advanced email filtering solutions capable of detecting and blocking phishing domains and malicious attachments. Network defenders should monitor and block known malicious domains and IP addresses associated with BlueDelta campaigns, including those listed in the indicators. Employ DNS filtering and web proxy controls to prevent access to suspicious hosting and tunneling services. Multi-factor authentication (MFA) must be enforced on all critical systems, especially for remote access and email accounts, to reduce the risk of credential misuse. Regularly audit and monitor authentication logs for anomalous access patterns indicative of compromised credentials. Collaborate with cloud service providers to ensure rapid takedown of malicious infrastructure hosted on their platforms. Incident response teams should prepare to investigate potential credential compromise and conduct threat hunting focused on lateral movement indicators. Sharing threat intelligence within European cybersecurity communities can enhance collective defense against this actor.