{"id":181399,"date":"2026-01-25T02:45:05","date_gmt":"2026-01-25T07:45:05","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/25\/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations\/"},"modified":"2026-01-25T02:45:08","modified_gmt":"2026-01-25T07:45:08","slug":"credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/25\/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations\/","title":{"rendered":"Credential-harvesting attacks by APT28 hit Turkish, European, and Central Asian organizations"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/186801\/apt\/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations.html\">Credential-harvesting attacks by APT28 hit Turkish, European, and Central Asian organizations<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/186801\/apt\/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations.html\">https:\/\/securityaffairs.com\/186801\/apt\/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-12 04:29:58<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p>Between February and September 2025, Russia-linked cyberespionage group APT28 (also known by various aliases such as Fancy Bear or BlueDelta) intensified its credential-harvesting operations. APT28 targeted energy, nuclear agencies, think tanks, and policy-related organizations across Turkey, Europe, North Macedonia, and Uzbekistan. The group executed sophisticated phishing campaigns, using fake login pages mimicking Outlook, Google, and Sophos VPN websites to steal usernames, passwords, and other credentials. To maintain low operational risk and costs, APT28 relied on free hosting services and tunneling tools, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing sites and exfiltrate data. The use of legitimate PDF documents from trusted institutions in phishing emails helped to further the illusion of authenticity. The campaigns indicate APT28\u2019s ongoing focus on low-effort methods for high-yield credential theft, aligned with Russian intelligence priorities.<\/p>\n<p>Key Points:<br \/>\n&#8211; APT28 expanded credential-harvesting campaigns in 2025 targeting Turkey, Europe, North Macedonia, and Uzbekistan sectors aligned with Russian interests.<br \/>\n&#8211; Phishing tactics mimicked widely used services including Outlook, Google, and Sophos VPN, utilizing low-cost, disposable infrastructure to host attacks.<br \/>\n&#8211; Techniques included legitimate PDF lures and redirection to legitimate sites to capture credentials before rerouting the victims.<br \/>\n&#8211; Indicators of Compromise (IoCs) and mitigations have been provided by Recorded Future\u2019s Insikt Group, highlighting a persistent threat from APT28.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Credential-harvesting attacks by APT28 hit Turkish, European, and Central Asian organizations https:\/\/securityaffairs.com\/186801\/apt\/credential-harvesting-attacks-by-apt28-hit-turkish-european-and-central-asian-organizations.html Publish Date: 2026-01-12&#8230;<\/p>\n","protected":false},"author":1,"featured_media":181400,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/01\/image-28.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[25],"class_list":["post-181399","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181399"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=181399"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181399\/revisions"}],"predecessor-version":[{"id":181401,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181399\/revisions\/181401"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/181400"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=181399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=181399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=181399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}