Executive Summary

A sophisticated and persistent credential phishing campaign orchestrated by APT28 - also known as Fancy Bear, BlueDelta, Forest Blizzard, and several other aliases - has been targeting users of the Ukrainian webmail service UKR-net. This campaign, active from at least June 2024 through April 2025, leverages advanced social engineering, multi-stage redirection, and abuse of legitimate cloud and tunneling services to harvest credentials and two-factor authentication (2FA) codes. The operation demonstrates a significant evolution in APT28’s tradecraft, including rapid adaptation to infrastructure takedowns and the use of anonymized exfiltration channels. The campaign’s primary objective is intelligence collection against Ukrainian government, military, and civil society, supporting Russian state interests. This report provides a comprehensive technical analysis, threat actor profile, exploitation details, victimology, and actionable mitigation strategies.

Threat Actor Profile

APT28 is a Russian state-sponsored advanced persistent threat group, attributed to the GRU’s 85th Main Special Service Center. The group is also tracked as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. Active since at least the mid-2000s, APT28 is renowned for its cyber-espionage operations targeting government, military, defense, policy, and media organizations, particularly in Europe and the United States. The group’s hallmark is its agility in infrastructure development, rapid adoption of new TTPs (tactics, techniques, and procedures), and persistent targeting of high-value entities. In 2024–2025, APT28 has demonstrated a marked shift toward leveraging free cloud services, multi-stage redirection, and anonymized tunneling to evade detection and maintain operational resilience in the face of Western-led infrastructure takedowns.

Technical Analysis of Malware/TTPs

The APT28 campaign against UKR-net users is characterized by a multi-layered phishing and credential harvesting operation. The attack chain begins with spearphishing emails containing malicious PDF or HTML attachments. These attachments embed links that are obfuscated using URL shorteners such as tiny[.]cc, tinyurl[.]com, t[.]ly, and linkcuts[.]com. Upon clicking, victims are redirected through a series of intermediary domains, often hosted on free platforms like Blogger (*.blogspot[.]com), Byet Internet Services (*.html-5[.]me, *.is-great[.]org), or frge[.]io. This multi-stage redirection serves to mask the final phishing destination and complicate detection.

The terminal stage of the attack presents the victim with a highly convincing UKR-net-themed login page, typically hosted on Mocky (run[.]mocky[.]io) or similar free static hosting services. Victims are prompted to enter their UKR-net credentials and, crucially, their 2FA codes. The phishing infrastructure is designed to capture these inputs in real time.

For exfiltration, APT28 has shifted from using compromised routers to leveraging anonymized tunneling services such as ngrok (ngrok[.]io) and Serveo (serveo[.]net). These services create ephemeral, encrypted tunnels that relay stolen credentials and 2FA codes directly to attacker-controlled endpoints, bypassing traditional network monitoring and blocking mechanisms. In some cases, public webhook services like PipeDream and Webhook.site are used to collect credentials without the need for custom infrastructure.

A notable innovation in this campaign is the use of compromised Ubiquiti EdgeOS routers. By deploying a custom Python script on these devices, APT28 automates the process of interacting with the UKR-net API, bypassing 2FA, enabling IMAP access, and deleting notification emails to cover their tracks. The routers are compromised via SSH backdoors, often using the openssh-backdoor-kit rootkit.

The campaign’s infrastructure is highly modular and resilient, with rapid rotation of domains, subdomains, and tunneling endpoints. This agility is a direct response to increased takedown efforts by Western security vendors and law enforcement.

Exploitation in the Wild

The exploitation phase is marked by the delivery of spearphishing emails to targeted UKR-net users. These emails are crafted to appear legitimate and often reference current events or official communications to increase credibility. The use of PDF or HTML attachments with embedded, obfuscated links is designed to bypass basic email filtering and sandboxing solutions.

Upon successful credential capture, APT28 immediately leverages the stolen information to access the victim’s UKR-net account. The group’s automation scripts enable rapid exploitation, including the bypass of 2FA protections and the establishment of persistent IMAP access. Notification emails generated by suspicious logins or security events are programmatically deleted, reducing the likelihood of user detection.

The campaign has been observed targeting a broad spectrum of Ukrainian entities, including government officials, military personnel, journalists, and members of civil society. The theft of credentials and 2FA codes enables APT28 to access sensitive communications, conduct further internal reconnaissance, and potentially pivot to additional targets within the victim’s network.

Victimology and Targeting

The primary victims of this campaign are users of the UKR-net webmail service, which is widely used by Ukrainian government agencies, military units, non-governmental organizations, and the general public. The targeting is highly selective, with a focus on individuals likely to possess or transmit sensitive information relevant to Russian intelligence objectives.

While the full scope of victimization is not publicly disclosed, open-source intelligence and reporting from Recorded Future and Sekoia.io indicate that the campaign has successfully compromised accounts belonging to government officials, military officers, journalists, and civil society activists. The use of multi-stage redirection and anonymized exfiltration channels suggests a deliberate effort to evade detection and maximize the operational lifespan of the campaign.

The campaign’s reliance on social engineering, rather than exploitation of software vulnerabilities, underscores the importance of user awareness and robust authentication practices in defending against advanced phishing threats.

Mitigation and Countermeasures

Organizations and individuals at risk from APT28’s credential phishing campaign should implement a multi-layered defense strategy. Email security solutions should be configured to detect and quarantine messages containing suspicious attachments or links, particularly those using URL shorteners or redirecting through free hosting services such as Mocky, Blogger, frge[.]io, ngrok, and Serveo. Network monitoring should be enhanced to identify anomalous outbound connections to tunneling and webhook services.

User education is paramount. Regular phishing awareness training should emphasize the risks associated with unsolicited attachments, the importance of verifying URLs before entering credentials, and the dangers of providing 2FA codes outside of official authentication workflows.

Technical controls should include the enforcement of strong, unique passwords and the adoption of phishing-resistant multi-factor authentication methods, such as hardware security keys or app-based authenticators. Organizations should maintain deny-lists for free hosting and tunneling services not required for business operations.

For infrastructure security, administrators of Ubiquiti EdgeOS routers and similar devices must ensure that firmware is up to date, default credentials are changed, and SSH access is restricted. Regular audits for unauthorized access and the presence of rootkits or backdoors are essential.

Incident response plans should be updated to include procedures for credential compromise, including rapid account lockdown, forced password resets, and forensic analysis of affected systems.

References

The following sources provide additional technical details and context for the APT28 campaign targeting UKR-net users:

• The Hacker News: APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

• Recorded Future: BlueDelta’s Persistent Campaign Against UKR.NET

• Sekoia.io: APT28 leverages multiple phishing techniques to target Ukrainian civil society

• MITRE ATT&CK: APT28 Group Profile

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform leverages cutting-edge threat intelligence, automation, and analytics to deliver actionable insights and enhance your organization’s security posture. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.