Russian BlueDelta hackers ran phishing campaign against Ukrainian webmail users

Russian BlueDelta hackers ran phishing campaign against Ukrainian webmail users

Summary

Recorded Future’s Insikt Group reports that BlueDelta (also known as APT28, Fancy Bear) conducted a months-long phishing operation targeting UKR.NET users between June 2024 and April 2025. The campaign used PDF attachments with embedded links to fake UKR.NET login pages to harvest credentials and gather intelligence in support of Russian state-linked objectives.

Author take: Punchy and plain — this is classic espionage tradecraft adapted to dodge modern defences. The attackers used more than 20 linked PDF lures, free hosting and anonymised tunnelling to keep their infrastructure resilient after takedowns in 2024.

Key Points

• BlueDelta targeted UKR.NET webmail users from June 2024 to April 2025 to harvest credentials and collect intelligence.
• Attackers deployed dozens of PDF-based lures that redirected victims to realistic fake login pages mimicking UKR.NET’s portal.
• PDF attachments with embedded links were likely chosen to evade automated email security filters.
• Researchers identified more than 20 linked PDF files used across the campaign.
• BlueDelta relied on free hosting and anonymised tunnelling — an adaptive response to 2024 infrastructure takedowns.
• The group has a long history of espionage against governments, defence contractors, logistics firms and think tanks; activity is expected to continue into 2026.
• Webmail services remain a frequent target — previous campaigns abused XSS and zero-day flaws in Roundcube and other webmail platforms across Eastern Europe.

Context and Relevance

This campaign underlines a continuing trend: state-linked actors favour credential harvesting via plausible webmail lures because stolen mail accounts provide rich intelligence and pivot opportunities. Organisations that rely on webmail — particularly in Ukraine and neighbouring states — are at elevated risk. For security teams, the report signals the need to tighten basic controls (MFA, phishing-resistant authentication), harden webmail software, improve email attachment scanning for PDFs with redirects, and monitor for abuse of free hosting and anonymising redirection services.

Why should I read this?

Short and sharp: if you manage email, user accounts or defensive ops, this matters. BlueDelta’s persistence and clever use of PDFs to slip past filters means ordinary protections can be bypassed. Read this to know what to watch for — and what to fix fast (MFA, patching webmail, user training and monitoring for PDF redirects).

Source

Source: https://therecord.media/russian-bluedelta-hackers-ran-phishing-ukraine-webmail