Researchers say the activity focused on harvesting credentials from a widely used Ukrainian email service.
Researchers from Recorded Future’s Insikt Group reported that the Russia-linked threat group BlueDelta carried out a prolonged phishing campaign against users of UKR.NET, a popular Ukrainian webmail and news platform. The operation ran from June 2024 through April 2025 and involved fake login pages designed to closely resemble the legitimate UKR.NET authentication portal. Victims were sent phishing emails containing PDF attachments that linked to the fraudulent pages, a technique researchers said was intended to bypass automated email security controls.
The phishing documents warned recipients about alleged suspicious activity on their accounts and prompted them to reset their passwords. Insikt Group identified more than twenty related PDF files connected to the infrastructure supporting the campaign, suggesting sustained and repeated targeting rather than isolated attempts. The attackers relied on free hosting services and anonymized tunneling tools to operate their phishing infrastructure. Researchers assessed that the campaign was designed to collect credentials and access personal communications, likely to support intelligence collection tied to Russia’s ongoing focus on Ukraine.
Insikt Group said the use of free hosting and anonymization services appeared to be a response to earlier infrastructure disruptions linked to Western law enforcement actions. The researchers added that BlueDelta has a long history of cyber espionage operations targeting government institutions, defense-related organizations, and policy entities across Europe and beyond. They warned that similar credential harvesting activity is likely to continue into 2026, with future campaigns expected to use an even broader mix of hosting and redirection services to maintain access.
Webmail platforms have become frequent targets for state-linked espionage groups because they provide access to communications, account recovery links, and broader identity data. ESET Intelligence has previously reported that Russia-aligned groups, including APT28, have repeatedly targeted webmail services in Ukraine and Eastern Europe to support intelligence collection and follow-on operations. These campaigns often combine phishing with exploitation of webmail software vulnerabilities, reflecting a sustained interest in email as a strategic intelligence source.
It is widely used in Ukraine, and access to accounts can reveal personal communications, contacts, and links to other online services.
PDF attachments can appear less suspicious than links in email bodies and may evade filters that focus on URL analysis.
They can read messages, reset passwords for other services, impersonate users, and collect intelligence from stored correspondence.
They can avoid clicking links in unsolicited emails, verify login pages by checking URLs directly, and enable multi-factor authentication where available.
Yes. Email platforms are often targeted because they provide a low-cost way to gather intelligence and support broader cyber operations.