GRU-Linked BlueDelta Evolves Credential Harvesting

Between February and September 2025 Recorded Future’s Insikt Group tracked BlueDelta (GRU-linked) credential-harvesting campaigns that used localized lures and spoofed login portals (Microsoft OWA, Google, Sophos VPN) to capture credentials. The group abused free hosting and tunneling services (Webhook.site, InfinityFree, Byet, ngrok, ShortURL), employed legitimate PDF lures for realism, implemented JavaScript-based exfiltration and redirection to real sites to evade detection, and targeted researchers and institutions linked to energy, defense, and government communications in Türkiye and Europe; the report includes IoCs and mitigation recommendations.