16/69 Monday, January 12, 2026
Security researchers have observed renewed activity from the threat group APT28 (also known as BlueDelta), In this campaign, the group has focused on stealing high-value credentials, primarily targeting personnel in energy and nuclear research organizations in Turkey, as well as officials in European institutions and agencies in North Macedonia and Uzbekistan. The targeting aligns closely with Russia’s strategic intelligence-gathering objectives.
The attack chain is highly sophisticated and stealthy. It begins with phishing emails containing shortened URLs designed to entice victims into clicking. These links redirect through legitimate services such as Webhook[.]site, initially presenting a PDF document discussing global geopolitical topics-such as the Iran–Israel conflict or environmental policy-to establish credibility. Shortly afterward, victims are silently redirected to fraudulent login pages that convincingly mimic Microsoft Outlook Web Access (OWA), Google, or Sophos VPN portals.
A particularly concerning aspect of this campaign is its evasion technique. After victims enter their credentials, backend scripts immediately transmit the stolen data to the attackers and then redirect the victims back to the legitimate document website, reducing suspicion and delaying detection. Additionally, APT28 has been observed leveraging free internet infrastructure-including services like InfinityFree and ngrok-as part of its operational backend. This approach highlights the group’s ability to conduct low-cost, high-impact espionage operations while complicating attribution and takedown efforts.
Source https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html
