GRU-linked BlueDelta evolves credential-harvesting operations
Source: https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting
Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat actor linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously documented in Insikt Group’s December 2025 report.
Key findings
- BlueDelta expanded its credential-harvesting activity throughout 2025, launching campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
- The group relied on a mix of free hosting and tunnelling services — including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok — to host phishing infrastructure and exfiltrate stolen credentials.
- Several campaigns used legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to enhance credibility and bypass email security controls.
- Customized JavaScript functions were employed to capture credentials, track victim behaviour, and automatically redirect users to legitimate websites, improving operational efficiency and reducing manual effort.
- Targeted email addresses and redirection patterns indicate a focus on researchers and institutions in Türkiye and Europe, consistent with broader Russian intelligence-collection priorities.
