BlueDelta’s Persistent Campaign Against UKR.NET
BlueDelta, a Russian state-sponsored threat group linked to the GRU, has conducted a persistent credential-harvesting campaign targeting users of the Ukrainian webmail service UKR. NET from June 2024 to April 2025. The group used phishing techniques involving fake UKR. NET login pages hosted on free web services and proxy tunneling platforms like ngrok and Serveo to evade takedowns. PDF documents containing embedded malicious links were distributed to lure victims, demonstrating the adversary's adaptability and operational persistence. The campaign's primary goal is to collect Ukrainian user credentials for intelligence gathering amid ongoing geopolitical tensions. While the campaign focuses on Ukrainian targets, European organizations with connections to Ukraine or using similar platforms could face indirect risks. The threat is medium severity due to the targeted nature, credential theft impact, and moderate ease of exploitation without requiring user interaction beyond clicking phishing links. Mitigation requires targeted user awareness, enhanced email filtering, monitoring of proxy tunneling services, and rapid takedown coordination. Countries with close ties to Ukraine or significant Ukrainian diaspora, such as Poland, Germany, and the Baltic states, are more likely to be affected due to potential spillover or secondary targeting.
AI Analysis
Technical Summary
Between June 2024 and April 2025, the Russian state-sponsored group BlueDelta executed a sustained credential-harvesting campaign against users of UKR.NET, a major Ukrainian webmail provider. The adversary deployed multiple phishing pages mimicking the legitimate UKR.NET login portal, hosted on free web hosting platforms and leveraging proxy tunneling services such as ngrok and Serveo to circumvent takedown efforts and maintain operational persistence. The campaign utilized PDF lures embedding malicious links to evade detection by traditional email security tools and increase the likelihood of user interaction. BlueDelta’s infrastructure adaptations, including switching proxy services, indicate a high level of operational security and responsiveness to defensive actions. The campaign’s primary objective is to collect user credentials for intelligence purposes, consistent with the GRU’s ongoing interest in Ukrainian digital assets amid the conflict. Techniques employed include phishing (T1566.002), use of proxy tunneling (T1102), credential harvesting (T1056.003), and use of webmail compromise (T1132.001). Although the campaign targets Ukrainian users specifically, the use of free web services and proxy platforms means that collateral impact on European organizations connected to Ukraine or using similar services is possible. No known exploits or CVEs are associated with this campaign, and it relies on social engineering and infrastructure resilience rather than software vulnerabilities.
Potential Impact
The primary impact of this campaign is the compromise of user credentials for UKR.NET accounts, which can lead to unauthorized access to sensitive communications, identity theft, and further espionage activities. For European organizations, especially those with business or personnel links to Ukraine, the campaign poses indirect risks such as spear-phishing follow-ups, lateral movement attempts, or exposure of sensitive information through compromised accounts. The use of proxy tunneling services complicates detection and takedown, potentially prolonging exposure. Credential theft undermines confidentiality and can facilitate further attacks, including account takeover and data exfiltration. The campaign’s persistence and adaptability increase the likelihood of successful compromise over time. While the direct operational scope is limited to UKR.NET users, the geopolitical context and targeting of Ukrainian digital infrastructure mean that European allies and partners may face secondary effects, including targeted phishing campaigns leveraging stolen credentials or intelligence gathered from compromised accounts.
Mitigation Recommendations
To mitigate this threat, organizations should implement targeted user awareness training focused on recognizing phishing attempts involving PDF lures and fake login portals, especially those impersonating UKR.NET or related services. Email security solutions should be configured to detect and quarantine emails containing suspicious PDF attachments and links to known proxy tunneling domains such as ngrok and Serveo. Monitoring network traffic for unusual connections to proxy tunneling services can help identify potential phishing infrastructure. Organizations with Ukrainian connections should enforce multi-factor authentication (MFA) on all webmail and critical accounts to reduce the impact of credential theft. Incident response teams should establish rapid takedown procedures and collaborate with hosting providers and law enforcement to disrupt phishing infrastructure promptly. Regular threat intelligence sharing with European cybersecurity centers and Ukrainian partners will enhance situational awareness. Finally, reviewing and restricting the use of free web hosting and proxy services within corporate environments can reduce exposure to similar campaigns.
Affected Countries
Ukraine, Poland, Germany, Lithuania, Latvia, Estonia
Indicators of Compromise
- hash: 3d434157d91afd59e26db91483e7a56d
- hash: 5ae39a1b39d45d08f947bdf0ee0452ae
- hash: 68053622c5cb645676c534fea7c4642a
- hash: 8b654832fbcf233f33e3cddef20a473a
- hash: 267e838ef339db2959c52cdc0bebb7e2e8c04b68
- hash: 5cc21e044124591cecc6d7ebf020018e894b2c6a
- hash: a0dd8dcff49d57cfcb73bd206985f45db1483de4
- hash: 009440551eb6ea83da1a28361ebf44b3d022f204b99b82b83e266ec4807d18eb
- hash: 1919d9c67a9ce00382f65b4bc1e1d1f4e4c0b296bc20ca45ba8fef8c188138ec
- hash: 1a4c609fb75a54c7016736e471b6f92aaed7bb51257f3946e4ece9dd9125500c
- hash: 20a3bf615c257d0c79ed82c428c3c182298876e52356988dd72dc20b2f12a217
- hash: 2431578b5ba5a8569a689807bdb827e3d445a16cc013ed8eba7b7bfea661d76a
- hash: 2f8e8b2783c8c47da0f265199671f3cae4e31b2a03999fff12aa3090c74c7a51
- hash: 44935484933a13fb6632e8db92229cf1c5777333fa5a3c0a374b37428add69fb
- hash: 53142380d75e3f54490f2896b58f308e6b91bec841d09b4e88985cb5b7812031
- hash: 5fd8153dbb4620ab589aaa83815afce34135e5a0a5af10876fb3b0fff344c64b
- hash: 64b26a92652bfb67cbe18217b6508fce460eff859526b2e256d3f1b9eab338b0
- hash: 704b0a4f2f2195d22340471b9bdb06244047f7042728dd7f6aa6e3c5e30c9bc1
- hash: 86a9ca34790e219ddc371fa154c51a9a2930e2afdebf4fc0889d2ba94d6acfc1
- hash: 8b77e8199c61c0d97b7a40e35feedf21a168a62696b18bbb4d49766332c2c8a8
- hash: 8f1994f2474512430f7c998dc6c57d0fd215860a24b58f90325122bb6d8a224c
- hash: 95783d875ee50ef619f455a715150f414ed00157a6579ae6f73ccd72c394c5d8
- hash: 9f394a9cb2e54e7be10c41b997e7dc85b882c4c7dd203b6984ca2aea151a47b5
- hash: be3cccc2c62c0033aebcf91a6587eb815a1994cf268c42cf92ed856b6cf556aa
- hash: c0890f375af0f503c873878b1b09a1c5147b72ab38511d9911e847c10622c0aa
- hash: c194f619d1ed73c0f0721d818564aa8238aceba94d1e721942c5cb67cbba68ff
- hash: ce421ab3db97f4b68d6e688c8ad5a6bafe82612d23df3257128433578c3caffb
- hash: f5d2edbf1af6bf7db3f29e77a99883e39b5bc4ec483af4de47e8a75574248649
- hash: fa8a4d544ffb3ca9d51448772f478f303602023e0cd70af4b9f85d3b72b4cd27
- ip: 73.80.9.137
- domain: doads.org
- domain: edfuture.com
- domain: element.id
- domain: linkcuts.com
- domain: linkcuts.org
- domain: talebco.ir
- domain: ukrainnet.com
- domain: ukrinet.com
- domain: 0592cc96ea.serveo.net
- domain: 232524f51a.serveo.net
- domain: 5ae39a1b39d45d08f947bdf0ee0452ae.serveo.net
- domain: 94c1bb7d4c.serveo.net
- domain: chujdrtuityui.mydiscussion.net
- domain: f0ee0452ae.serveo.net
- domain: kfghjerrlknsm.line.pm
- domain: tuyt8erti867i.synergize.co
- domain: ukraine.html-5.me
- domain: ukrainesafe.is-great.org
- domain: ukrainesafeurl.talebco.ir
- domain: un.mocky.io
- hash: 47e811dbe2ed0ea8d506af94c1bb7d4c
- hash: 6c7aa72bd5f1d30203b80596f926b2b7
- hash: 73ce1aae8a9ba738b91040232524f51a
- hash: 92ace7e653e9c32d2af9700592cc96ea
- hash: d7763713839aaf61dd299a55da3aad76
- domain: 47e811dbe2ed0ea8d506af94c1bb7d4c.serveo.net
- domain: 6c7aa72bd5f1d30203b80596f926b2b7.serveo.net
- domain: 73ce1aae8a9ba738b91040232524f51a.serveo.net
- domain: 92ace7e653e9c32d2af9700592cc96ea.serveo.net
- domain: d7763713839aaf61dd299a55da3aad76.serveo.net
BlueDelta’s Persistent Campaign Against UKR.NET
Description
BlueDelta, a Russian state-sponsored threat group linked to the GRU, has conducted a persistent credential-harvesting campaign targeting users of the Ukrainian webmail service UKR. NET from June 2024 to April 2025. The group used phishing techniques involving fake UKR. NET login pages hosted on free web services and proxy tunneling platforms like ngrok and Serveo to evade takedowns. PDF documents containing embedded malicious links were distributed to lure victims, demonstrating the adversary's adaptability and operational persistence. The campaign's primary goal is to collect Ukrainian user credentials for intelligence gathering amid ongoing geopolitical tensions. While the campaign focuses on Ukrainian targets, European organizations with connections to Ukraine or using similar platforms could face indirect risks. The threat is medium severity due to the targeted nature, credential theft impact, and moderate ease of exploitation without requiring user interaction beyond clicking phishing links. Mitigation requires targeted user awareness, enhanced email filtering, monitoring of proxy tunneling services, and rapid takedown coordination. Countries with close ties to Ukraine or significant Ukrainian diaspora, such as Poland, Germany, and the Baltic states, are more likely to be affected due to potential spillover or secondary targeting.
AI-Powered Analysis
Technical Analysis
Between June 2024 and April 2025, the Russian state-sponsored group BlueDelta executed a sustained credential-harvesting campaign against users of UKR.NET, a major Ukrainian webmail provider. The adversary deployed multiple phishing pages mimicking the legitimate UKR.NET login portal, hosted on free web hosting platforms and leveraging proxy tunneling services such as ngrok and Serveo to circumvent takedown efforts and maintain operational persistence. The campaign utilized PDF lures embedding malicious links to evade detection by traditional email security tools and increase the likelihood of user interaction. BlueDelta’s infrastructure adaptations, including switching proxy services, indicate a high level of operational security and responsiveness to defensive actions. The campaign’s primary objective is to collect user credentials for intelligence purposes, consistent with the GRU’s ongoing interest in Ukrainian digital assets amid the conflict. Techniques employed include phishing (T1566.002), use of proxy tunneling (T1102), credential harvesting (T1056.003), and use of webmail compromise (T1132.001). Although the campaign targets Ukrainian users specifically, the use of free web services and proxy platforms means that collateral impact on European organizations connected to Ukraine or using similar services is possible. No known exploits or CVEs are associated with this campaign, and it relies on social engineering and infrastructure resilience rather than software vulnerabilities.
Potential Impact
The primary impact of this campaign is the compromise of user credentials for UKR.NET accounts, which can lead to unauthorized access to sensitive communications, identity theft, and further espionage activities. For European organizations, especially those with business or personnel links to Ukraine, the campaign poses indirect risks such as spear-phishing follow-ups, lateral movement attempts, or exposure of sensitive information through compromised accounts. The use of proxy tunneling services complicates detection and takedown, potentially prolonging exposure. Credential theft undermines confidentiality and can facilitate further attacks, including account takeover and data exfiltration. The campaign’s persistence and adaptability increase the likelihood of successful compromise over time. While the direct operational scope is limited to UKR.NET users, the geopolitical context and targeting of Ukrainian digital infrastructure mean that European allies and partners may face secondary effects, including targeted phishing campaigns leveraging stolen credentials or intelligence gathered from compromised accounts.
Mitigation Recommendations
To mitigate this threat, organizations should implement targeted user awareness training focused on recognizing phishing attempts involving PDF lures and fake login portals, especially those impersonating UKR.NET or related services. Email security solutions should be configured to detect and quarantine emails containing suspicious PDF attachments and links to known proxy tunneling domains such as ngrok and Serveo. Monitoring network traffic for unusual connections to proxy tunneling services can help identify potential phishing infrastructure. Organizations with Ukrainian connections should enforce multi-factor authentication (MFA) on all webmail and critical accounts to reduce the impact of credential theft. Incident response teams should establish rapid takedown procedures and collaborate with hosting providers and law enforcement to disrupt phishing infrastructure promptly. Regular threat intelligence sharing with European cybersecurity centers and Ukrainian partners will enhance situational awareness. Finally, reviewing and restricting the use of free web hosting and proxy services within corporate environments can reduce exposure to similar campaigns.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet"]
- Adversary
- BlueDelta
- Pulse Id
- 69430d7dd15ada5cf6e88f2e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash3d434157d91afd59e26db91483e7a56d | — | |
hash5ae39a1b39d45d08f947bdf0ee0452ae | — | |
hash68053622c5cb645676c534fea7c4642a | — | |
hash8b654832fbcf233f33e3cddef20a473a | — | |
hash267e838ef339db2959c52cdc0bebb7e2e8c04b68 | — | |
hash5cc21e044124591cecc6d7ebf020018e894b2c6a | — | |
hasha0dd8dcff49d57cfcb73bd206985f45db1483de4 | — | |
hash009440551eb6ea83da1a28361ebf44b3d022f204b99b82b83e266ec4807d18eb | — | |
hash1919d9c67a9ce00382f65b4bc1e1d1f4e4c0b296bc20ca45ba8fef8c188138ec | — | |
hash1a4c609fb75a54c7016736e471b6f92aaed7bb51257f3946e4ece9dd9125500c | — | |
hash20a3bf615c257d0c79ed82c428c3c182298876e52356988dd72dc20b2f12a217 | — | |
hash2431578b5ba5a8569a689807bdb827e3d445a16cc013ed8eba7b7bfea661d76a | — | |
hash2f8e8b2783c8c47da0f265199671f3cae4e31b2a03999fff12aa3090c74c7a51 | — | |
hash44935484933a13fb6632e8db92229cf1c5777333fa5a3c0a374b37428add69fb | — | |
hash53142380d75e3f54490f2896b58f308e6b91bec841d09b4e88985cb5b7812031 | — | |
hash5fd8153dbb4620ab589aaa83815afce34135e5a0a5af10876fb3b0fff344c64b | — | |
hash64b26a92652bfb67cbe18217b6508fce460eff859526b2e256d3f1b9eab338b0 | — | |
hash704b0a4f2f2195d22340471b9bdb06244047f7042728dd7f6aa6e3c5e30c9bc1 | — | |
hash86a9ca34790e219ddc371fa154c51a9a2930e2afdebf4fc0889d2ba94d6acfc1 | — | |
hash8b77e8199c61c0d97b7a40e35feedf21a168a62696b18bbb4d49766332c2c8a8 | — | |
hash8f1994f2474512430f7c998dc6c57d0fd215860a24b58f90325122bb6d8a224c | — | |
hash95783d875ee50ef619f455a715150f414ed00157a6579ae6f73ccd72c394c5d8 | — | |
hash9f394a9cb2e54e7be10c41b997e7dc85b882c4c7dd203b6984ca2aea151a47b5 | — | |
hashbe3cccc2c62c0033aebcf91a6587eb815a1994cf268c42cf92ed856b6cf556aa | — | |
hashc0890f375af0f503c873878b1b09a1c5147b72ab38511d9911e847c10622c0aa | — | |
hashc194f619d1ed73c0f0721d818564aa8238aceba94d1e721942c5cb67cbba68ff | — | |
hashce421ab3db97f4b68d6e688c8ad5a6bafe82612d23df3257128433578c3caffb | — | |
hashf5d2edbf1af6bf7db3f29e77a99883e39b5bc4ec483af4de47e8a75574248649 | — | |
hashfa8a4d544ffb3ca9d51448772f478f303602023e0cd70af4b9f85d3b72b4cd27 | — | |
hash47e811dbe2ed0ea8d506af94c1bb7d4c | — | |
hash6c7aa72bd5f1d30203b80596f926b2b7 | — | |
hash73ce1aae8a9ba738b91040232524f51a | — | |
hash92ace7e653e9c32d2af9700592cc96ea | — | |
hashd7763713839aaf61dd299a55da3aad76 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip73.80.9.137 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindoads.org | — | |
domainedfuture.com | — | |
domainelement.id | — | |
domainlinkcuts.com | — | |
domainlinkcuts.org | — | |
domaintalebco.ir | — | |
domainukrainnet.com | — | |
domainukrinet.com | — | |
domain0592cc96ea.serveo.net | — | |
domain232524f51a.serveo.net | — | |
domain5ae39a1b39d45d08f947bdf0ee0452ae.serveo.net | — | |
domain94c1bb7d4c.serveo.net | — | |
domainchujdrtuityui.mydiscussion.net | — | |
domainf0ee0452ae.serveo.net | — | |
domainkfghjerrlknsm.line.pm | — | |
domaintuyt8erti867i.synergize.co | — | |
domainukraine.html-5.me | — | |
domainukrainesafe.is-great.org | — | |
domainukrainesafeurl.talebco.ir | — | |
domainun.mocky.io | — | |
domain47e811dbe2ed0ea8d506af94c1bb7d4c.serveo.net | — | |
domain6c7aa72bd5f1d30203b80596f926b2b7.serveo.net | — | |
domain73ce1aae8a9ba738b91040232524f51a.serveo.net | — | |
domain92ace7e653e9c32d2af9700592cc96ea.serveo.net | — | |
domaind7763713839aaf61dd299a55da3aad76.serveo.net | — |
Threat ID: 69433981058703ef3fd4738a
Added to database: 12/17/2025, 11:15:13 PM
Last enriched: 12/17/2025, 11:26:53 PM
Last updated: 12/18/2025, 1:26:53 PM
Views: 32
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
MediumNuGet malware targets crypto wallets, OAuth tokens
MediumGachiLoader: Defeating Node.js Malware with API Tracing
MediumFrom Linear to Complex: An Upgrade in RansomHouse Encryption
MediumA new campaign by the ForumTroll APT group
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.