Credential-harvesting attacks by APT28 hit Turkish, European, and Central Asian organizations
Credential-harvesting attacks by APT28 hit Turkish, European, and Central Asian organizations
Publish Date: 2026-01-12 04:29:58
Source Domain: securityaffairs.com
Between February and September 2025, Russia-linked cyberespionage group APT28 (also known by various aliases such as Fancy Bear or BlueDelta) intensified its credential-harvesting operations. APT28 targeted energy, nuclear agencies, think tanks, and policy-related organizations across Turkey, Europe, North Macedonia, and Uzbekistan. The group executed sophisticated phishing campaigns, using fake login pages mimicking Outlook, Google, and Sophos VPN websites to steal usernames, passwords, and other credentials. To maintain low operational risk and costs, APT28 relied on free hosting services and tunneling tools, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing sites and exfiltrate data. The use of legitimate PDF documents from trusted institutions in phishing emails helped to further the illusion of authenticity. The campaigns indicate APT28’s ongoing focus on low-effort methods for high-yield credential theft, aligned with Russian intelligence priorities.
Key Points:
– APT28 expanded credential-harvesting campaigns in 2025 targeting Turkey, Europe, North Macedonia, and Uzbekistan sectors aligned with Russian interests.
– Phishing tactics mimicked widely used services including Outlook, Google, and Sophos VPN, utilizing low-cost, disposable infrastructure to host attacks.
– Techniques included legitimate PDF lures and redirection to legitimate sites to capture credentials before rerouting the victims.
– Indicators of Compromise (IoCs) and mitigations have been provided by Recorded Future’s Insikt Group, highlighting a persistent threat from APT28.
