APT28, a Russian state-sponsored threat actor, has been linked to a credential-harvesting campaign that targets UKR[. ]net users. The activity builds on earlier findings from the cybersecurity company in May 2024 and was observed by Recorded Future's Insikt Group between June 2024 and April

2025.

Since the mid-2000s, the adversary has been conducting a larger series of phishing and credential theft operations that target government agencies, defense contractors, suppliers of weapons, logistics companies, and policy think tanks. In order to obtain and transmit the stolen credentials and 2FA codes, proxy tunneling services like ngrok and Serveo have replaced compromised routers. "In light of Russia's ongoing efforts, the campaign demonstrates the GRU's continued interest in compromising Ukrainian user credentials to support intelligence-gathering operations." conflict in Ukraine," stated Recorded Future.

BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422 are other names for it.