A cyber-espionage campaign by Russia’s BlueDelta group targets Ukrainian webmail users using legitimate web services to avoid detection. The campaign focuses on stealing credentials through sophisticated redirect chains and malware-laden attachments, reflecting ongoing digital conflict in Ukraine. #BlueDelta #GRU #UKR.NET #CyberEspionage
Keypoints
- BlueDelta, linked to Russia’s GRU, conducts a persistent campaign targeting Ukrainian credentials.
- The group now exploits free web services like Mocky, ngrok, and Serveo to evade detection.
- Malicious activity begins with a malicious PDF that redirects victims to fake UKR.NET login pages.
- BlueDelta modifies tunneling tools to disable warning pages, creating seamless phishing experiences.
- The campaign aims to support broader Russian intelligence operations in Ukraine, expected to continue into 2026.