The GRU’s Silent Shift: How BlueDelta Hijacks Ukrainian Webmail Using ngrok and Mocky

A persistent cyber-espionage campaign targeting Ukrainian webmail users has evolved its tactics to evade detection, leveraging a suite of legitimate, free web services to bypass security filters. A new report by Insikt Group details the operations of BlueDelta—a Russian state-sponsored group linked to the GRU—which has been relentlessly hunting for credentials to UKR.NET accounts throughout 2024 and 2025.

The campaign marks a strategic pivot for the group (also known as APT28 or Fancy Bear), shifting away from compromised hardware to ephemeral cloud infrastructure in response to global law enforcement pressure.

Between June 2024 and April 2025, researchers tracked a sustained effort by BlueDelta to steal usernames, passwords, and two-factor authentication (2FA) codes from Ukrainian targets. Rather than building expensive custom infrastructure, the group “leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo”.

This reliance on legitimate tools serves a dual purpose: it lowers the cost of the operation and blends malicious traffic with benign activity, making detection difficult for defenders.

“BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024,” the report states.

The attack chain begins not with a malicious link in the body of an email, but with an attachment. The group distributed “malicious PDF lures that linked to credential-harvesting pages through embedded URLs,” a technique designed to bypass automated email scanning sandboxes.

Once a victim clicks the link, they are funneled through a sophisticated redirection chain. The attackers utilized services like Mocky to host the initial redirect code, eventually landing the victim on a fake UKR.NET login portal. These pages were meticulously crafted, using custom JavaScript to not only capture passwords but also to relay CAPTCHA challenges and intercept 2FA codes in real-time.

One of the most notable technical details in the report is how BlueDelta overcame the safety features of the tools they abused. When using ngrok, a popular tunneling service, users are typically presented with a browser warning page before accessing the tunnel. To prevent this warning from alerting their victims, the hackers modified their code.

“The additional line of JavaScript adds a new HTTP request header to all outgoing requests… This new header is used to disable ngrok’s browser warning page,” researchers explained .

By injecting the header ngrok-skip-browser-warning, the attackers ensured a seamless user experience, keeping the victim unaware that they were accessing a proxy tunnel rather than a legitimate website.

The targeting of UKR.NET—a widely used email and news service in Ukraine—underscores the operational priorities of Russian military intelligence.

“BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements”.

As the war in Ukraine continues, so does the digital conflict. Insikt Group predicts that BlueDelta will likely continue this behavior well into 2026, incorporating “further diversification of free hosting and redirection platforms” to stay one step ahead of takedown efforts.

Related Posts:

• BlueDelta: GRU-Linked Cyber Espionage Group Targets Critical European Networks
• APT29 Lures Victims with Fake BMW Ads in Latest Attack
• VSCode Supply Chain Compromise: 12 Malicious Extensions Steal Source Code and Open Remote Shells
• Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense