Russian BlueDelta hackers ran phishing campaign against Ukrainian webmail users

Russian state-backed hackers have run a months-long phishing campaign against users of UKR.NET, a popular Ukrainian webmail and news service, in an effort to harvest credentials and gather intelligence, cybersecurity researchers said.

The operation — active from June 2024 through April 2025 — was attributed to BlueDelta, also known as APT28, Fancy Bear or Forest Blizzard, according to a report published on Wednesday by Recorded Future’s Insikt Group. The Record is an editorially independent unit of Recorded Future.

Researchers said the campaign likely aimed to collect sensitive information from Ukrainian users in support of broader Russian intelligence objectives.

Insikt observed the hackers setting up multiple fake login pages designed to mimic UKR.NET’s authentication portal. Victims were lured through phishing emails containing PDF attachments with embedded links to the fraudulent pages — a tactic researchers said was likely intended to bypass automated email security filters.

Analysis of the phishing infrastructure revealed more than 20 linked PDF files, which researchers believe were distributed to targets as part of the campaign. The documents warned users of suspicious activity on their UKR.NET accounts and urged them to click a link to reset their passwords.

“BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024,” the researchers said.

BlueDelta has carried out cyber-espionage and credential-harvesting operations for more than a decade, targeting government bodies, defence contractors, weapons suppliers, logistics firms and policy think tanks, Western governments and security firms say.

Insikt Group warned the activity was unlikely to stop soon.

“BlueDelta is likely to sustain credential-harvesting activity through 2025 and into 2026,” the report said, adding that future campaigns would probably rely on an even wider range of free hosting and redirection services to maintain operations amid ongoing law enforcement efforts.

Webmail services have become a frequent target for espionage-linked hacking groups over the past two years.

In a separate campaign in May, the group was observed exploiting cross-site scripting vulnerabilities to target webmail servers used by state entities and defence companies in Eastern Europe, primarily in Ukraine, Bulgaria and Romania, researchers said.

In 2023, another state-backed group, Winter Vivern, exploited a previously unknown flaw in Roundcube webmail software used by governments across Europe. That same year, APT28 targeted Ukrainian government bodies and a military aviation-related company by abusing multiple vulnerabilities in Roundcube, using Russia’s invasion of Ukraine as a lure to trick victims into opening malicious emails.