BlueDelta’s Persistent Campaign Against UKR.NET

Dec. 21, 2025, 7:35 p.m.

Description

Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.

External References

https://otx.alienvault.com/pulse/69430d7dd15ada5cf6e88f2e
https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet
Tags
phishing
ngrok
credential harvesting
russian threat actor
gru
2025-12-17
pdf lures
proxy tunneling
ukr.net
ukrainian targets
webmail compromise

Date

  • Created: Dec. 17, 2025, 8:07 p.m.
  • Published: Dec. 17, 2025, 8:07 p.m.
  • Modified: Dec. 21, 2025, 7:35 p.m.

Indicators

  • 1919d9c67a9ce00382f65b4bc1e1d1f4e4c0b296bc20ca45ba8fef8c188138ec
  • c194f619d1ed73c0f0721d818564aa8238aceba94d1e721942c5cb67cbba68ff
  • 64b26a92652bfb67cbe18217b6508fce460eff859526b2e256d3f1b9eab338b0
  • 5fd8153dbb4620ab589aaa83815afce34135e5a0a5af10876fb3b0fff344c64b
  • 704b0a4f2f2195d22340471b9bdb06244047f7042728dd7f6aa6e3c5e30c9bc1
  • 009440551eb6ea83da1a28361ebf44b3d022f204b99b82b83e266ec4807d18eb
  • f5d2edbf1af6bf7db3f29e77a99883e39b5bc4ec483af4de47e8a75574248649
  • 44935484933a13fb6632e8db92229cf1c5777333fa5a3c0a374b37428add69fb
  • 86a9ca34790e219ddc371fa154c51a9a2930e2afdebf4fc0889d2ba94d6acfc1
  • 95783d875ee50ef619f455a715150f414ed00157a6579ae6f73ccd72c394c5d8
  • be3cccc2c62c0033aebcf91a6587eb815a1994cf268c42cf92ed856b6cf556aa
  • ce421ab3db97f4b68d6e688c8ad5a6bafe82612d23df3257128433578c3caffb
  • 1a4c609fb75a54c7016736e471b6f92aaed7bb51257f3946e4ece9dd9125500c
  • 8f1994f2474512430f7c998dc6c57d0fd215860a24b58f90325122bb6d8a224c
  • 53142380d75e3f54490f2896b58f308e6b91bec841d09b4e88985cb5b7812031
  • 2f8e8b2783c8c47da0f265199671f3cae4e31b2a03999fff12aa3090c74c7a51
  • 9f394a9cb2e54e7be10c41b997e7dc85b882c4c7dd203b6984ca2aea151a47b5
  • 20a3bf615c257d0c79ed82c428c3c182298876e52356988dd72dc20b2f12a217
  • 8b77e8199c61c0d97b7a40e35feedf21a168a62696b18bbb4d49766332c2c8a8
  • fa8a4d544ffb3ca9d51448772f478f303602023e0cd70af4b9f85d3b72b4cd27
  • 2431578b5ba5a8569a689807bdb827e3d445a16cc013ed8eba7b7bfea661d76a
  • c0890f375af0f503c873878b1b09a1c5147b72ab38511d9911e847c10622c0aa
  • 73.80.9.137
Download all indicators here!

Attack Patterns

  • BlueDelta

Additional Informations

  • ukrainnet.com
  • un.mocky.io
  • 6c7aa72bd5f1d30203b80596f926b2b7.serveo.net
  • linkcuts.org
  • 232524f51a.serveo.net
  • 5ae39a1b39d45d08f947bdf0ee0452ae.serveo.net
  • doads.org
  • 92ace7e653e9c32d2af9700592cc96ea.serveo.net
  • chujdrtuityui.mydiscussion.net
  • f0ee0452ae.serveo.net
  • 0592cc96ea.serveo.net
  • talebco.ir
  • 47e811dbe2ed0ea8d506af94c1bb7d4c.serveo.net
  • ukrainesafe.is-great.org
  • tuyt8erti867i.synergize.co
  • element.id
  • 94c1bb7d4c.serveo.net
  • edfuture.com
  • ukrinet.com
  • ukraine.html-5.me
  • linkcuts.com
  • kfghjerrlknsm.line.pm
  • d7763713839aaf61dd299a55da3aad76.serveo.net
  • ukrainesafeurl.talebco.ir
  • 73ce1aae8a9ba738b91040232524f51a.serveo.net
  • Russian Federation
  • Ukraine