Between June 2024 and April 2025, the Russian state-sponsored group BlueDelta executed a sustained credential-harvesting campaign against users of UKR.NET, a major Ukrainian webmail provider. The adversary deployed multiple phishing pages mimicking the legitimate UKR.NET login portal, hosted on free web hosting platforms and leveraging proxy tunneling services such as ngrok and Serveo to circumvent takedown efforts and maintain operational persistence. The campaign utilized PDF lures embedding malicious links to evade detection by traditional email security tools and increase the likelihood of user interaction. BlueDelta’s infrastructure adaptations, including switching proxy services, indicate a high level of operational security and responsiveness to defensive actions. The campaign’s primary objective is to collect user credentials for intelligence purposes, consistent with the GRU’s ongoing interest in Ukrainian digital assets amid the conflict. Techniques employed include phishing (T1566.002), use of proxy tunneling (T1102), credential harvesting (T1056.003), and use of webmail compromise (T1132.001). Although the campaign targets Ukrainian users specifically, the use of free web services and proxy platforms means that collateral impact on European organizations connected to Ukraine or using similar services is possible. No known exploits or CVEs are associated with this campaign, and it relies on social engineering and infrastructure resilience rather than software vulnerabilities.

The primary impact of this campaign is the compromise of user credentials for UKR.NET accounts, which can lead to unauthorized access to sensitive communications, identity theft, and further espionage activities. For European organizations, especially those with business or personnel links to Ukraine, the campaign poses indirect risks such as spear-phishing follow-ups, lateral movement attempts, or exposure of sensitive information through compromised accounts. The use of proxy tunneling services complicates detection and takedown, potentially prolonging exposure. Credential theft undermines confidentiality and can facilitate further attacks, including account takeover and data exfiltration. The campaign’s persistence and adaptability increase the likelihood of successful compromise over time. While the direct operational scope is limited to UKR.NET users, the geopolitical context and targeting of Ukrainian digital infrastructure mean that European allies and partners may face secondary effects, including targeted phishing campaigns leveraging stolen credentials or intelligence gathered from compromised accounts.

To mitigate this threat, organizations should implement targeted user awareness training focused on recognizing phishing attempts involving PDF lures and fake login portals, especially those impersonating UKR.NET or related services. Email security solutions should be configured to detect and quarantine emails containing suspicious PDF attachments and links to known proxy tunneling domains such as ngrok and Serveo. Monitoring network traffic for unusual connections to proxy tunneling services can help identify potential phishing infrastructure. Organizations with Ukrainian connections should enforce multi-factor authentication (MFA) on all webmail and critical accounts to reduce the impact of credential theft. Incident response teams should establish rapid takedown procedures and collaborate with hosting providers and law enforcement to disrupt phishing infrastructure promptly. Regular threat intelligence sharing with European cybersecurity centers and Ukrainian partners will enhance situational awareness. Finally, reviewing and restricting the use of free web hosting and proxy services within corporate environments can reduce exposure to similar campaigns.