APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

The Russian state-sponsored threat actor APT28 (also known as BlueDelta and Fancy Bear) conducted a sustained phishing campaign against users of UKR[.]net, a Ukrainian webmail service, between June 2024 and April 2025. Utilizing fake login pages hosted on services like Mocky, the campaign aimed to steal user credentials and two-factor authentication (2FA) codes.

Why This Matters

The ideal security model assumes users are vigilant against phishing, but this attack demonstrates a persistent and adaptive adversary successfully circumventing those defenses—resulting in compromised accounts. Such campaigns have a broad impact, as successful credential harvesting enables further espionage and intelligence gathering, particularly given APT28’s focus on targets related to Ukraine’s defense and geopolitical interests.

Key Insights

• APT28 has been active since the mid-2000s: consistently evolving tactics to target governments, contractors, and think tanks.
• Proxy tunneling services (ngrok, Serveo) replaced compromised routers: indicating an adaptive response to infrastructure takedowns.
• Subdomain abuse (blogspot[.]com): introduces layered redirection to mask malicious URLs.

Practical Applications

• Use Case: APT28 leverages free hosting and tunneling services to maintain campaign persistence despite disruptions.
• Pitfall: Relying solely on URL blacklists is ineffective against dynamic infrastructure like those utilized by APT28; behavior-based detection is crucial.

References:

• https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html