BlueDelta’s Persistent Campaign Against UKR.NET

Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections.

BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025. The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques. Notably, BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta’s infrastructure in early 2024.

On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, hosted using the free API service Mocky. The malicious UKR.NET page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962. The line[.]pm apex domain is owned by the free hosting company DNS EXIT. On September 13, 2024, Insikt Group identified another UKR.NET credential harvesting page where BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net. Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org, likely to hide Mocky URLs in phishing emails. Since 2023, BlueDelta has used link-shortening platforms like doads[.]org, in[.]run, t[.]ly, tiny[.]cc, tinyurl[.]com, and linkcuts[.]com. They have also employed free domains from providers such as InfinityFree or Byet Internet Services, and subdomains provided by Blogger, for tier-two link redirection.

To read the complete article see: BlueDelta’s Persistent Campaign Against UKR.NET.