Search
Breaking
Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech • Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis
SECURITY

Analysis: APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

✍️ By Connect Quest Blog Analytical Desk
📅 25-12-2025 07:05
Analytical - Independent Analysis
⏱️ 3 min read
Analysis: APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign Image: Stock - Ai
APT28's Persistent Cyber Threat against Ukraine

Russian State-Sponsored Hackers Target Ukrainian Users in Long-Running Campaign

A Russian state-sponsored threat actor, known as APT28 or BlueDelta, has been actively targeting Ukrainian users of UKR.net in a sustained credential-harvesting campaign. This ongoing cyber offensive, observed between June 2024 and April 2025 by Recorded Future's Insikt Group, marks a continuation of the group's earlier attacks on European networks.

The Modus Operandi of APT28

APT28 employs a variety of tactics to trick users into revealing their login credentials and two-factor authentication (2FA) codes. The attackers create UKR.net-themed login pages and host them on legitimate services like Mocky. These login pages are embedded in PDF documents that are distributed via phishing emails.

  • The links to these pages are shortened using services like tiny.cc or tinyurl.com.
  • In some instances, APT28 has also used subdomains created on platforms like Blogger (*.blogspot.com) to launch a two-tier redirection chain that leads to the credential-harvesting page.

Implications for North East India and Broader Indian Context

While this campaign primarily targets Ukrainian users, it serves as a reminder of the persistent and evolving nature of state-sponsored cyber threats. As India strengthens its digital infrastructure and online presence, it becomes increasingly crucial to stay vigilant against such threats.

Adaptive Response and Persistent Interest

APT28's recent transition from using compromised routers to proxy tunneling services like ngrok and Serveo indicates an adaptive response to infrastructure takedowns in early 2024. This adaptability underscores the group's persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia's ongoing war in Ukraine.

Reflections and Looking Forward

As cyber threats continue to evolve, it is essential for organizations and individuals to remain vigilant and implement robust security measures. Stay informed about the latest threats, invest in cybersecurity training, and prioritize the protection of sensitive data.

Copyright Notice: This is an original analytical article independently produced by Connect Quest Artist Editorial Desk. All content is copyright-safe and represents our original analysis and perspective.
Analytical Basis: This article represents independent analysis and may reference publicly available information.
Tags:
#security #analysis #northeast #original