Ddos 
BlueDelta credential-harvesting infrastructure stages (Source: Recorded Future)
A notorious Russian state-sponsored hacking group has evolved its digital espionage toolkit, launching a sophisticated wave of credential-harvesting attacks targeting energy researchers and government networks across Europe and the Middle East. A new report from Recorded Future’s Insikt Group details how the group, tracked as BlueDelta, is abusing legitimate web services to stealthily steal login information.
BlueDelta, associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), has historically been a relentless operator in the cyber espionage space. Their latest campaign, observed between February and September 2025, marks a strategic refinement in their methods.
Unlike broad-brush phishing campaigns, BlueDelta’s latest operation was highly selective. The group focused on a “small but distinct set of victims,” specifically targeting individuals linked to “a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan”.
The targeting aligns perfectly with Russia’s geopolitical interests. “These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities,” the report notes.
The most striking aspect of the campaign is how heavily the attackers relied on legitimate, free internet infrastructure to hide their tracks. Rather than building custom malware from scratch, BlueDelta “abused legitimate services at scale, impersonating webmail and VPN portals and leveraging free hosting and tunneling platforms to collect credentials and evade detection”.
The group created fake login pages that mimicked Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. These pages were hosted on services like Webhook.site, InfinityFree, and ngrok, allowing the attackers to set up disposable infrastructure for free.
To add a layer of authenticity, the attackers utilized “legitimate PDF lure documents”. In one instance, victims were shown a genuine report from the Gulf Research Center titled “Strategic and Political Implications for Israel and Iran: The Day After War” before being redirected to a fake login screen. Another campaign used a climate change report from the EcoClimate Foundation to target Turkish renewable energy researchers.
Under the hood, BlueDelta has streamlined its operations. The report highlights the group’s use of customized JavaScript to automate the theft.
“BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency”.
For example, scripts were designed to send a “page-opened beacon” the moment a victim clicked a link, capturing their IP address and user agent before they even typed a password . Once credentials were submitted, the victims were redirected to legitimate portals, leaving them unaware of the compromise.
The use of disposable, legitimate infrastructure makes these attacks difficult to block without disrupting normal business operations. Insikt Group warns that this behavior is likely to continue.
“BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data”.
As geopolitical tensions persist, organizations in the energy and defense sectors are urged to look beyond standard phishing indicators and monitor for unusual traffic to free hosting services.
Related Posts:
- BlueDelta: GRU-Linked Cyber Espionage Group Targets Critical European Networks
- The GRU’s Silent Shift: How BlueDelta Hijacks Ukrainian Webmail Using ngrok and Mocky
- Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
- Cyberattacks Surge Against Energy Sector Amid Geopolitical Tensions
Donate