APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

Briefly

"The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The activity, observed by Recorded Future's Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that detailed the hacking group's attacks targeting European networks with the HeadLace malware and credential-harvesting web pages."

"The latest attacks are characterized by the deployment of UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and two-factor authentication (2FA) codes. Links to these pages are embedded within PDF documents that are distributed via phishing emails. The links are shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, the threat actor has also been observed using subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain that leads to the credential harvesting page."

"The efforts are part of a broader set of phishing and credential theft operations orchestrated by the adversary since mid-2000s targeting government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks in pursuit of Russia's strategic objectives."