Russia's APT28 Harvests Credentials Across Balkans and Central Asia

Recorded Future published new research this week documenting sustained credential harvesting campaigns by APT28 across the Balkans, Middle East, and Central Asia throughout 2025. The Russian GRU-linked group targeted energy research facilities, military organizations, and policy think tanks using fake login pages for VPNs and email services.

The campaigns demonstrate that APT28—also tracked as Fancy Bear, BlueDelta, and Forest Blizzard—continues relying on straightforward phishing tactics rather than sophisticated zero-days. When targeting specific organizations with valid lures, simple techniques still work.

What is APT28?

APT28 is a cyber espionage unit attributed to Russia's GRU military intelligence agency. The group gained notoriety for the 2016 Democratic National Committee breach and subsequent election interference operations. They've since conducted campaigns against government, military, and critical infrastructure targets worldwide.

The group's tactics range from zero-day exploitation to basic credential phishing. This latest campaign series falls firmly in the latter category—fake login pages hosted on commodity infrastructure, designed to steal usernames and passwords from specific targets.

Campaign Timeline

Recorded Future identified three distinct waves of activity:

June 2025: A Turkish energy and nuclear research agency received phishing emails directing victims to a fake Sophos VPN password reset page. The attackers hosted the credential harvester on InfinityFree, a free web hosting service.

September 2025: North Macedonia military personnel and an Uzbekistan IT integrator were targeted with fake password expiration warnings. The lures claimed passwords would expire and needed immediate renewal.

April 2025: A European think tank faced a campaign using fake Google password reset pages hosted on Byet Internet Services.

Across all campaigns, APT28 used legitimate PDF documents as decoys—publications from the Gulf Research Center on Iran-Israel relations and climate policy briefings from European think tanks. The decoys matched targets' professional interests, increasing the likelihood victims would engage with the phishing links.

Attack Chain

The attacks followed a consistent pattern:

1. Target receives phishing email with shortened URL
2. Click redirects through webhook[.]site, briefly displaying a legitimate decoy PDF
3. After two seconds, victim lands on a spoofed login page (Sophos VPN, Google, or Microsoft OWA)
4. Hidden HTML form captures credentials via JavaScript
5. A "page opened" beacon notifies attackers of the view
6. Victim redirects to the actual legitimate PDF

The brief decoy display serves a clever purpose: it provides plausible context for why the victim clicked the link while the credential harvesting happens in the background. Victims who successfully authenticate (or fail) end up viewing the expected document, reducing suspicion.

Infrastructure Choices

APT28 deliberately used commodity hosting services rather than dedicated infrastructure:

• InfinityFree (free hosting)
• Byet Internet Services
• webhook[.]site for redirects
• ngrok for tunneling

This approach trades operational sophistication for disposability. If defenders block one hosting provider, the attackers spin up new infrastructure within hours. The services are legitimate, making blanket blocking impractical.

Recorded Future noted this contrasts with APT28's more advanced capabilities. The group has previously exploited zero-days in Cisco routers and deployed custom malware like BRICKSTORM. Simple credential phishing apparently remains effective enough to warrant continued use.

Why Credentials Matter

Stolen VPN and email credentials provide initial access to target networks without triggering vulnerability-based detection. An attacker logging in with valid credentials looks identical to a legitimate user—at least until they start moving laterally or exfiltrating data.

APT28's target selection reflects Russian intelligence priorities: energy research, military cooperation, and government policy. Access to these organizations' email systems and VPNs enables follow-on espionage operations, potentially lasting months or years before detection.

Detection and Defense

Organizations in targeted sectors should:

1. Implement phishing-resistant MFA - Hardware security keys or certificate-based authentication defeat credential phishing even when users fall for fake login pages
2. Monitor authentication sources - Flag logins from unusual locations or infrastructure providers like InfinityFree
3. Train staff on regional lures - APT28 used Turkish-language and region-specific content; generic phishing awareness doesn't cover targeted campaigns
4. Review VPN access logs - Look for successful authentications from commodity VPN or hosting providers

The campaigns reinforce that sophisticated threat actors don't always use sophisticated techniques. When simple phishing works against high-value targets, there's no reason to burn zero-days.