State-linked Russians go on spear phishing spree

Targeting victims across Europe and the Middle East

Hackers linked to the Russian state are using fake login pages to steal credentials from a small but strategically chosen group of targets, according to new research.

Analysts at Recorded Future say the hacking group known as BlueDelta – linked to Russia's military intelligence agency, the GRU - carried out multiple credential-harvesting campaigns between February and September 2025.

BlueDelta, also known as Fancy Bear, APT28 and Forest Blizzard, has been active for more than a decade and is widely associated with espionage operations against governments, militaries and research organisations.

One of the hallmarks of the latest attacks is their close appearance to genuine login pages, documents and so on. They rely on carefully tailored phishing emails, often written in the recipient's native language and designed to appear relevant to their professional interests.

In several cases, victims were first shown genuine PDF documents taken from legitimate organisations, before being redirected to convincing replicas of well-known login portals.

Targets included an IT services firm in Uzbekistan, a European think tank, a military organisation in North Macedonia and scientists linked to a Turkish energy and nuclear research body.

In one case, Turkish renewable energy researchers were lured with a real climate policy document produced by a Middle Eastern think tank.

After entering their details once, victims were redirected to the legitimate login page of the same service, a tactic that could easily be dismissed as a technical error rather than an attack.

The stolen credentials would allow attackers to access email accounts or VPNs, enabling further intelligence collection and potentially opening the door to more valuable targets connected through supply chains or travel links.

At first glance, the selection of victims may appear random, researchers say, but Recorded Future argues the targeting is consistent with Russian strategic intelligence priorities.

"When viewed through an intelligence lens, it is highly selective and consistent with GRU collection priorities. The targets almost always align with geopolitical, military, or strategic intelligence objectives rather than commercial or criminal objectives," said Matt H., a principal threat analyst at Recorded Future.

"In previous BlueDelta campaigns, we have observed credential-harvesting pages targeting relatively small or obscure organisations that later proved to be linked to higher-value targets through travel, logistics, or supply chain relationships.”

Rather than using bespoke hacking infrastructure, BlueDelta made extensive use of free online services to host phishing pages and manage redirections.

These included popular hosting and tunnelling platforms, such as Webhook, Byet Internet Services, InfinityFree and ngrok, which researchers say help reduce costs and complicate efforts to trace responsibility.

Recorded Future expects BlueDelta to continue credential-harvesting operations into early 2026, with a focus on government, policy and research-linked users in regions of strategic interest to Moscow.

"Future campaigns will likely introduce new lure themes and localised content to better engage regional targets, including language or sector-specific phishing pages," the researchers state.

"BlueDelta's use of legitimate documents and redirection to authentic portals indicates an emphasis on stealth and user trust exploitation rather than broad-scale compromise."