APT28 (Fancy Bear), the Russian state-sponsored threat actor linked to the GRU, has been conducting credential harvesting campaigns against organizations in Turkey, the Balkans, Middle East, and Central Asia using surprisingly simple techniques. Recorded Future’s Insikt Group observed the activity between February and September 2025.
Campaign overview
| Attribute | Details |
|---|
| Threat actor | APT28 / Fancy Bear / BlueDelta |
| Attribution | Russia’s GRU (Military Unit 26165) |
| Campaign period | February - September 2025 |
| Discovery | Recorded Future Insikt Group |
| Target regions | Turkey, Balkans, Central Asia, Middle East |
| Target sectors | Energy, nuclear, defense, government, academia |
| Technique | Credential harvesting via phishing |
Targets
| Region | Target organizations |
|---|
| Turkey | Energy and nuclear research agency staff, renewable energy scientists |
| Europe | Think tank personnel |
| North Macedonia | Government-affiliated organizations, military |
| Uzbekistan | Policy organizations, IT integrators |
The targeting aligns with Russian intelligence priorities: energy infrastructure, defense policy, and regional political dynamics in areas of strategic interest.
Specific targeting observed
| Target type | Lure theme |
|---|
| Turkish scientists | Climate change, renewable energy |
| European researchers | Regional policy analysis |
| North Macedonian military | Government communications |
| Uzbek organizations | IT and policy |
Attack chain
The campaign uses a multi-stage redirect to harvest credentials:
Stage 1: Phishing email
| Element | Details |
|---|
| Language | Native language for each target region |
| Theme | Matched to victims’ professional interests |
| Content | Contains shortened URL link |
| Sender spoofing | Appears to come from relevant organizations |
Stage 2: Redirect chain
| Step | Action |
|---|
| 1 | Victim clicks shortened URL |
| 2 | Redirects to webhook[.]site |
| 3 | Displays legitimate decoy PDF for ~2 seconds |
| 4 | Captures beacon data (IP, browser, timestamp) |
| 5 | Redirects to credential harvesting page |
Stage 3: Credential theft
| Element | Details |
|---|
| Page type | Spoofed Microsoft Outlook Web Access (OWA) login |
| Capture | Username, password, and victim identifiers |
| Post-theft | Redirects to legitimate site (avoids suspicion) |
| Data exfiltration | Credentials sent to attacker webhooks |
Legitimate documents as lures
APT28 borrowed legitimacy by using real documents from credible sources:
| Lure Document | Source | Target audience |
|---|
| Climate change policy brief | Gulf Research Center | Turkish renewable energy scientists |
| Regional policy analysis | ECCO (European Climate Foundation) | European policy researchers |
| Government communications | Various | North Macedonian officials |
Using authentic documents from recognized think tanks increases victim trust and reduces suspicion. Attackers don’t create fake content—they use real, publicly available PDFs.
Infrastructure
APT28 relied on free and disposable services to minimize costs and complicate attribution:
| Service | Purpose | Cost |
|---|
| Webhook[.]site | Redirect hosting, data exfiltration | Free |
| InfinityFree | Phishing page hosting | Free |
| Byet Internet Services | Credential harvesting infrastructure | Free |
| ngrok | Tunneling for phishing pages | Free tier |
Infrastructure indicators
Recorded Future collected over a dozen phishing pages hosted on these services. The JavaScript on these pages:
| Function | Purpose |
|---|
| Capture credentials | Username and password harvest |
| Record victim identifiers | Attribution and targeting data |
| Send beacons to webhooks | Real-time data exfiltration |
| Redirect to legitimate sites | Avoid victim suspicion |
“BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data.”
Why simple works
The campaign demonstrates that sophisticated technical capabilities aren’t necessary when social engineering succeeds:
| Factor | Benefit |
|---|
| Relevant content | Documents match targets’ professional interests |
| Borrowed legitimacy | Real PDFs from credible sources |
| Native language | Emails in targets’ languages increase trust |
| Minimal infrastructure | Free services reduce operational costs |
| Clean redirects | Post-theft redirect to legitimate sites avoids detection |
| Professional themes | Victims expect policy documents |
Recorded Future characterized credential harvesting as “a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.”
Attribution
APT28 is attributed to Russia’s GRU (Main Intelligence Directorate), specifically:
| Unit | Role |
|---|
| Military Unit 26165 | Primary attribution |
| 85th Main Special Service Center (GTsSS) | GRU cyber operations |
Tracking names
| Tracker | Name |
|---|
| CERT-UA | UAC-0001 |
| Recorded Future | BlueDelta |
| Industry standard | Fancy Bear |
| Alternative names | Pawn Storm, Sofacy, Sednit |
| Microsoft | STRONTIUM, Forest Blizzard |
| CrowdStrike | Fancy Bear |
The group has been active since at least 2004 and gained notoriety for attacks against Ukraine, US and European elections, and organizations involved in the Olympics.
Historical context
APT28’s current credential harvesting continues a long pattern of targeting:
| Target category | Examples |
|---|
| Political targets | Government officials, diplomats, political parties |
| Defense sector | Contractors, military personnel, defense ministries |
| Energy | Utilities, nuclear research, renewable energy |
| Media | Journalists covering Russia, Eastern Europe |
| Research | Think tanks, academic institutions |
| Sports | Olympic officials, anti-doping agencies |
Notable APT28 operations
| Year | Operation | Target |
|---|
| 2015-2016 | US election interference | DNC, political campaigns |
| 2016 | WADA hack | Anti-doping agency |
| 2017 | Macron campaign | French presidential election |
| 2018 | Olympic targeting | Winter Olympics organizations |
| 2022-present | Ukraine operations | Government, military, infrastructure |
| 2025 | This campaign | Energy, defense, policy |
Recommendations
For targeted organizations
| Priority | Action |
|---|
| Critical | Security awareness training—focus on targeted phishing, not generic scams |
| Critical | Phishing-resistant MFA—hardware keys or passkeys (SMS/TOTP codes can be phished) |
| High | Email authentication—implement DMARC, DKIM, SPF |
| High | URL filtering—block or warn on free hosting services used for phishing |
| High | Credential monitoring—watch for leaked credentials on dark web |
| Medium | Domain monitoring—detect lookalike domains early |
Detection indicators
| Indicator | Meaning |
|---|
| Redirects through webhook[.]site | APT28 infrastructure |
| OWA login pages on InfinityFree or Byet domains | Credential harvesting |
| PDF downloads followed by credential entry prompts | Attack chain in progress |
| ngrok tunnel connections from corporate networks | Suspicious tunneling |
| Policy document lures matching professional interests | Targeted phishing |
Network-level detection
| Detection | Method |
|---|
| Webhook.site connections | DNS/proxy logging |
| InfinityFree/Byet hosting | URL reputation |
| ngrok tunnels | Traffic analysis |
| Credential submission to unknown sites | Form monitoring |
Recommendations for security teams
| Priority | Action |
|---|
| High | Implement phishing-resistant MFA for all users |
| High | Train high-value targets on APT phishing techniques |
| High | Monitor for credential exposure on dark web |
| Medium | Block free hosting services at proxy/firewall |
| Medium | Deploy email link protection/sandboxing |
| Ongoing | Track APT28 TTPs and indicators |
Context
APT28’s continued reliance on basic credential harvesting—despite having sophisticated malware capabilities—reflects a pragmatic approach: why develop expensive exploits when phishing works?
The campaign demonstrates that state-sponsored actors don’t always use zero-days and custom malware. Simple, low-cost techniques remain effective against organizations without adequate security awareness training and phishing-resistant authentication.
Organizations in energy, defense, and policy sectors should assume they are targets and implement defenses accordingly. The simplicity of these attacks means any organization can be targeted without significant attacker investment.
For defenders, the lesson is clear: stop credentials from being useful to attackers through phishing-resistant MFA, and train users to recognize targeted phishing that uses legitimate content as lures.
