Russian APT actor phishes the Baltics and the Balkans

Dec. 21, 2025, 7:31 p.m.

Description

A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The phishing pages employ blurred background images and complex password validation mechanisms. Stolen credentials are sent to a third-party service, even if they don't meet the specified complexity requirements. This campaign has been active since at least 2023, with various lures tailored to specific government targets in countries such as Moldova, Ukraine, Lithuania, Bosnia and Herzegovina, Macedonia, Montenegro, Spain, and Bulgaria.

External References

https://otx.alienvault.com/pulse/69412b5a6b1d0f96c4b1cbba
https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans
Tags
apt
phishing
credential-theft
government
eastern europe
2025-12-16

Date

  • Created: Dec. 16, 2025, 9:50 a.m.
  • Published: Dec. 16, 2025, 9:50 a.m.
  • Modified: Dec. 21, 2025, 7:31 p.m.

Attack Patterns

  • Russian APT

Additional Informations

  • Government and administrations
  • Defense
  • Bosnia and Herzegovina
  • North Macedonia
  • Moldova, Republic of
  • Bulgaria
  • Spain
  • Lithuania
  • Montenegro
  • Ukraine