**Credential-Harvesting Attacks by APT28 Hit Turkish, European, and Central Asian Organizations**

APT28 identity

A sophisticated cyberespionage group linked to Russia, APT28 (also known as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM), has been conducting credential-harvesting attacks against various organizations in Turkey, Europe, North Macedonia, and Uzbekistan. The group's targets include energy, nuclear, and policy staff, as well as personnel from European think tanks.

APT28 credential harvesting

Between February and September 2025, the Insikt Group at Recorded Future observed APT28 running these credential-harvesting campaigns. The group used regionally tailored lures that reflected their interest in energy, defense, and government networks aligned with Russian intelligence priorities.

**Tactics, Techniques, and Procedures (TTPs)**

APT28 employed fake login pages mimicking Outlook, Google, and Sophos VPN to steal credentials. These phishing pages redirected victims to legitimate sites after credential theft to avoid detection. The group relied on free hosting, tunneling services, and PDF lures to host phishing pages, exfiltrate data, and enable redirects.

To appear credible, attackers embedded real PDF lures from trusted organizations such as the Gulf Research Center and the EcoClimate Foundation. Phishing emails led victims to decoy PDFs for a few seconds before showing spoofed Microsoft OWA pages that secretly sent credentials to webhook endpoints, then redirected users back to legitimate content.

**Campaigns and Targets**

In February 2025, APT28 deployed spoofed Microsoft OWA login pages delivered through shortened links and Webhook[.]site. Victims were first shown legitimate PDF lures from trusted think tanks, then redirected to fake login pages that captured emails, passwords, IPs, and user agents via hidden HTML and JavaScript beacons, before redirecting back to the real PDFs.

Later campaigns reused this approach with updated scripts, Turkish-language lures, and targets tied to energy research. APT28 continued its credential-harvesting campaigns in 2025, targeting VPNs, Microsoft OWA, and Google accounts.

**Low-Cost, High-Yield Credential Theft**

APT28 used free hosting and tunneling services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host phishing pages, exfiltrate data, and enable redirects. This low-cost approach allowed the group to keep costs down while still achieving high yields.

**Insikt Group's Analysis**

The Insikt Group has not previously observed BlueDelta using Google-themed credential-harvesting pages in its past campaigns. However, based on similarities between this activity and previous attacks, it is likely that this activity is associated with BlueDelta.

**Mitigations and Indicators of Compromise (IoCs)**

To mitigate these attacks, organizations should be aware of the following IoCs:

* Spoofed Microsoft OWA login pages * Google-themed credential-harvesting pages * PDF lures from trusted organizations * Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok used for free hosting and tunneling services

Organizations should also implement the following mitigations:

* Educate employees on phishing attacks and the importance of strong passwords * Implement multi-factor authentication (MFA) for all users * Use reputable security software to detect and prevent malware infections * Regularly update software and plugins to ensure protection against known vulnerabilities

**Conclusion**

APT28's credential-harvesting campaigns are a reminder that cyberespionage groups continue to evolve and adapt their tactics, techniques, and procedures. Organizations must stay vigilant and implement robust security measures to protect themselves against these types of attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and analysis.