Executive Summary

Recorded Future's Insikt Group has released new intelligence on the evolving tactics of BlueDelta, a threat group linked to Russia's Main Directorate of the General Staff (GRU) and widely known as APT28 or Fancy Bear. The group conducted a series of sophisticated credential-harvesting campaigns between February and September 2025, focusing on targets of strategic interest to Russia. Victims included individuals at a Turkish energy agency, a North Macedonian military organization, and a European think tank. BlueDelta's updated tradecraft emphasizes stealth and operational efficiency, leveraging highly targeted spear-phishing, legitimate documents as lures, and a network of low-cost, disposable infrastructure (such as ngrok and InfinityFree) to capture credentials for services like Microsoft OWA and Sophos VPN.

Threat Overview

The campaign demonstrates a clear focus on intelligence gathering related to energy research, defense cooperation, and government policy in Europe and Eurasia. Rather than using complex malware, BlueDelta's success relies on meticulous social engineering and operational security.

The typical attack chain involves:

1. Targeted Spear-Phishing: Attackers send carefully crafted emails, sometimes in the victim's native language, to build credibility (T1566.002).
2. Lure Documents: The emails contain links to legitimate-looking PDF documents or websites relevant to the target's work, such as a real climate policy paper for energy researchers.
3. Redirection: Upon clicking, the victim is passed through a multi-stage redirection chain, often using free URL shorteners or compromised sites to obfuscate the final destination.
4. Credential Harvesting: The final destination is a convincing replica of a familiar login portal (e.g., Microsoft Outlook Web Access, Google, Sophos VPN). After the user enters their credentials, they are stolen and exfiltrated.
5. Evasion: To avoid suspicion, the user is often redirected to the legitimate website they were expecting after their credentials have been harvested.

Technical Analysis

A key feature of BlueDelta's evolved methodology is its reliance on low-cost, disposable, and difficult-to-attribute infrastructure (T1583.006). The group consistently abuses free and legitimate online services, including:

• Hosting Services: InfinityFree, Byet Internet Services
• Web Request Services: Webhook[.]site
• Tunneling Services: ngrok

Using these services allows the attackers to quickly set up and tear down their phishing pages and data exfiltration endpoints, making it difficult for defenders to block them based on traditional IP or domain reputation. The use of ngrok is particularly effective, as it tunnels malicious traffic through a legitimate, trusted service, often bypassing firewall rules.

Impact Assessment

The primary goal of these campaigns is espionage. By stealing credentials, BlueDelta gains long-term access to sensitive email accounts, internal networks, and cloud services. This access can be used to:

• Exfiltrate sensitive documents, emails, and strategic plans.
• Gain a foothold for more intrusive follow-on operations.
• Use the compromised accounts to launch further phishing attacks against other targets, leveraging the trust associated with the victim's identity.

The targeting of energy and defense entities indicates a direct alignment with Russian state strategic interests, posing a national security risk to the affected countries.

Detection & Response

• Network Traffic Analysis: Monitor for and alert on network connections to known abusive services like ngrok.io, *.infinityfreeapp.com, and webhook.site from within the corporate network, especially from user workstations. While these services have legitimate uses, their use in a corporate environment should be scrutinized. This is a core function of D3-NTA: Network Traffic Analysis.
• Email Security: Deploy advanced email security gateways that can analyze URLs at time-of-click to detect malicious redirects and credential harvesting pages. Look for emails containing multiple layers of redirection.
• User Training: Since the attack relies on tricking the user, continuous training on how to spot sophisticated phishing attempts is crucial. Users should be taught to manually verify the domain name of any login page before entering credentials.

Mitigation

1. Multi-Factor Authentication (MFA): This is the single most effective mitigation against credential theft. Even if an attacker steals a user's password, they cannot access the account without the second factor. Enforce MFA on all external services, especially email and VPN. This is a direct implementation of D3-MFA: Multi-factor Authentication.
2. Outbound Traffic Filtering: Block access to known-bad domains and categories of websites, including free hosting and dynamic DNS services, where possible. While this can be challenging due to their legitimate uses, a risk-based approach can be effective.
3. Limit Access from Untrusted Networks: Configure conditional access policies to block or limit access to sensitive applications from networks or countries where your organization does not operate.