APT28 Phishes UKR.net Users via Mocky, ngrok, TinyURL

A GRU-linked threat group, APT28, is running a sustained credential-harvesting campaign against users of Ukraine’s UKR.net, according to Recorded Future’s Insikt Group. The activity, tracked from June 2024 through April 2025, aims to steal account passwords and two-factor authentication codes.

Key takeaways:

• Actor: APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, TA422), assessed to be affiliated with Russia’s GRU.
• Tactics: Convincing UKR.net-themed login pages hosted on legitimate services such as Mocky; links embedded in PDF attachments sent via phishing emails.
• Delivery: Link shorteners like tiny.cc and tinyurl.com are used to cloak destinations; in some cases, Blogger subdomains create a two-step redirect to the credential capture page.
• Data theft: The pages capture usernames, passwords, and 2FA codes, enabling account takeover and follow-on intelligence collection.
• Infrastructure shift: The group moved from compromised routers to proxy tunneling services including ngrok and Serveo to relay stolen data, reflecting adaptation after Western-led infrastructure takedowns in early 2024.
• Broader context: This campaign builds on earlier findings (May 2024) tied to HeadLace malware and credential-harvesting sites, and aligns with a long-running APT28 focus on phishing and credential theft dating back to the mid-2000s against government, defense, logistics, weapons suppliers, and policy think tanks.

Why it matters:
APT28’s continued abuse of free hosting, link shorteners, and anonymized tunneling shows an agile response to disruption efforts and underscores persistent GRU interest in compromising Ukrainian user credentials amid the ongoing war. Recorded Future assesses the likely goal is to collect sensitive information supporting broader GRU intelligence requirements.

Source: The Hacker News