APT28 (aka BlueDelta), a Russian GRU-affiliated advanced persistent threat group, has launched a series of credential harvesting campaigns targeting individuals linked to Turkish energy and nuclear research agencies, European think tanks, and organizations in North Macedonia and Uzbekistan. The campaigns, active since at least February 2025, employ phishing emails containing shortened URLs that redirect victims through multiple stages: initially to decoy PDF documents relevant to regional geopolitical events, then to spoofed login portals resembling Microsoft Outlook Web Access, Google password reset pages, and Sophos VPN password reset pages. These fake portals are hosted on legitimate but disposable internet services such as Webhook.site, InfinityFree, Byet Internet Services, and ngrok, which facilitate credential exfiltration and redirection to legitimate sites to evade suspicion. The lure documents are regionally and linguistically tailored, increasing the credibility of the attacks among targeted professionals. The campaigns demonstrate a strategic focus on entities involved in energy research, defense cooperation, and government communications, aligning with Russian intelligence objectives. The use of legitimate hosting services and redirection tactics complicates detection and response efforts. Although no direct exploits or malware payloads are involved, the stolen credentials can enable further espionage, lateral movement, or disruption. Recorded Future’s Insikt Group highlights the group's persistent reliance on credential harvesting as a cost-effective intelligence-gathering method. The attacks underscore the ongoing cyber espionage threat posed by APT28 against critical infrastructure and policy organizations in geopolitically sensitive regions.

For European organizations, especially think tanks, energy research institutions, and government-affiliated entities, this campaign poses a significant risk to the confidentiality of sensitive information and the integrity of secure communications. Compromised credentials can lead to unauthorized access to email systems, VPNs, and internal networks, facilitating espionage, data exfiltration, and potential disruption of critical operations. The targeting of policy organizations and defense-related entities could result in the leakage of strategic plans or sensitive diplomatic communications, undermining national security and policy formulation. The use of legitimate service infrastructure for phishing complicates detection and increases the likelihood of successful credential theft. Additionally, stolen credentials may be leveraged for follow-on attacks such as lateral movement, privilege escalation, or deployment of malware, amplifying the operational impact. The medium severity rating reflects the absence of direct exploitation vulnerabilities but acknowledges the high-value nature of the targeted credentials and the potential for significant downstream consequences. European organizations involved in energy and defense sectors are particularly vulnerable given the geopolitical tensions involving Russia and the strategic importance of these sectors.

European organizations should implement multi-factor authentication (MFA) across all critical systems, especially email and VPN access, to reduce the risk posed by stolen credentials. Regular phishing awareness training tailored to the latest tactics used by APT28, including recognition of regionally relevant lure documents and suspicious URL redirections, is essential. Organizations should deploy advanced email filtering solutions capable of detecting and blocking phishing emails with shortened URLs and suspicious attachments. Monitoring and restricting the use of disposable hosting services like Webhook.site, InfinityFree, and ngrok within corporate networks can help identify and block phishing infrastructure. Incident response teams should establish robust credential monitoring and alerting mechanisms to detect anomalous login attempts or use of compromised credentials. Network segmentation and least privilege access policies can limit lateral movement if credentials are compromised. Regular audits of access logs and integration of threat intelligence feeds related to APT28 activities will enhance early detection. Finally, organizations should collaborate with national cybersecurity agencies to share indicators of compromise and receive timely threat updates.