BlueDelta’s Persistent Campaign Against UKR.NET

Recorded Future’s Insikt Group observed a sustained BlueDelta (GRU-linked) credential-harvesting campaign targeting UKR.NET users between June 2024 and April 2025. The actors distributed phishing PDFs linking to Mocky-hosted fake login pages that exfiltrated usernames, passwords, and 2FA codes, and abused free tunneling/hosting services (ngrok, Serveo, DNS EXIT, Byet, Blogger) and link shorteners to evade detection; the report documents infrastructure, IOCs, and mitigation guidance.