Russian state-sponsored threat actor APT28 has launched a renewed credential-harvesting campaign aimed at organizations connected to energy research, defense collaboration, and government communications, according to Recorded Future. The activity relies on sophisticated phishing infrastructure that impersonates trusted authentication portals while abusing free hosting and tunneling services to evade detection and complicate attribution.

APT28—also tracked as Fancy Bear, Sofacy, Sednit, and Forest Blizzard—has been active since at least 2004 and is widely linked to Russia’s military intelligence service, the GRU. The group has a long history of targeting government, military, energy, and media organizations across the United States and Europe, frequently using credential theft as a precursor to espionage and long-term access.

Recorded Future identified multiple credential-harvesting operations conducted by APT28 throughout 2024 and 2025. The campaigns targeted individuals affiliated with energy and nuclear research agencies, European think tanks, and military-linked organizations in countries including Turkey, North Macedonia, and Uzbekistan.

Victims were lured via phishing emails and shortened links that redirected them to spoofed login pages masquerading as legitimate Microsoft Outlook Web Access (OWA), Google, or Sophos VPN portals. After credentials were entered, users were seamlessly redirected to the real service, minimizing suspicion.

The campaigns relied heavily on free hosting, tunneling, and link-shortening services such as Webhook[.]site, InfinityFree, Byet Internet Services, Ngrok, and ShortURL. These platforms allowed APT28 to rapidly deploy and rotate phishing infrastructure at minimal cost.

In several cases, attackers used staged redirection flows. Victims were briefly shown a decoy PDF lure before being redirected to a spoofed authentication page. JavaScript embedded in the phishing pages captured credentials and transmitted them to webhook endpoints controlled by the attackers.

Recorded Future also observed localized phishing pages containing Turkish- and Portuguese-language content, indicating careful tailoring of lures to regional targets.

Credential harvesting enables APT28 to bypass perimeter defenses without deploying malware. Compromised credentials can facilitate email access, VPN intrusion, lateral movement, and intelligence collection across sensitive research and government networks.

Because the phishing pages redirect users to legitimate portals after submission, detection by both users and security teams becomes significantly more difficult.

This campaign underscores how nation-state actors increasingly favor low-cost, high-return techniques that blend into normal internet traffic. The abuse of legitimate free services reduces operational friction and complicates takedown and attribution efforts, allowing sustained espionage activity with limited infrastructure investment.

Recorded Future notes that APT28’s adaptability and repeated rebranding of phishing portals indicate the group will continue abusing free hosting and tunneling platforms. This approach allows the actor to rapidly pivot infrastructure while maintaining operational continuity.