AI vs APT28 Phishing: Stop Credential Harvesting

AI in Cybersecurity••By 3L3C

BlueDelta (APT28) used PDFs and free tunnels to steal credentials. See how AI-driven cybersecurity detects the full chain and contains account takeover fast.

AI threat detectionPhishing defenseCredential theftIdentity securityThreat intelligenceSOC automation
Share:

Featured image for AI vs APT28 Phishing: Stop Credential Harvesting

AI vs APT28 Phishing: Stop Credential Harvesting

BlueDelta (also tracked as APT28 / Fancy Bear / Forest Blizzard) ran a 10-month-plus credential-harvesting campaign aimed at UKR.NET users between June 2024 and April 2025. Recorded Future’s reporting ties the activity to GRU-aligned tradecraft and shows something defenders keep learning the hard way: credential theft scales better than malware.

Here’s what makes this campaign especially useful for security leaders in late 2025. It’s not a story about one clever phish—it’s a story about repeatable infrastructure patterns, PDF-delivered deception, and free tunneling services used to hide the real collection servers. Those are exactly the kinds of signals AI in cybersecurity is good at correlating across email, web, identity, and network telemetry.

Most companies still treat phishing as an “email problem.” BlueDelta’s chain shows why that mindset breaks. You need AI-driven threat detection that watches the full path: lure → click → redirect → fake portal → credential + MFA capture → suspicious login.

What BlueDelta’s UKR.NET campaign teaches defenders

BlueDelta’s campaign is a clean case study in how state-sponsored operators optimize phishing for reliability and evasion, not flash.

The report documents 42 credential-harvesting chains with consistent building blocks:

  • PDF lures designed to bypass common email defenses and sandbox detonation
  • Fake UKR.NET login pages hosted via free web services (not traditional “bulletproof hosting”)
  • Reverse proxy / tunneling infrastructure (ngrok, Serveo) to mask upstream servers and relay interactions
  • Collection of 2FA and CAPTCHA data, not just usernames/passwords

The stance I’ll take: if your controls are tuned for “malicious attachment drops payload,” you’ll miss this.

Why this works so well (even with MFA)

BlueDelta’s flow reflects a broader trend: attackers increasingly focus on real-time phishing that can capture the MFA code or relay the session.

This matters because many organizations still measure success as “we turned on MFA.” That’s necessary, but it’s not sufficient.

What changes the game operationally is the attacker’s ability to:

  • Trigger a believable security event (“suspicious activity detected”)
  • Capture credentials
  • Prompt for an MFA code
  • Use infrastructure that looks like normal cloud traffic

If you’ve ever investigated a takeover where logs show a valid login plus an MFA challenge—this is one common way it happens.

The attacker playbook: PDF lures + free infrastructure + tunnels

The campaign’s most practical lesson is that commodity services can be stitched into a highly resilient attack chain.

Recorded Future observed BlueDelta repeatedly using:

  • Mocky to host credential-harvesting pages
  • DNS EXIT for free subdomain hosting
  • ngrok and Serveo for proxy tunneling / port forwarding
  • Multiple link shorteners (tinyurl, t.ly, tiny.cc, and others) to hide final destinations

Why PDFs are still a favorite delivery mechanism

PDFs are “boring,” which is exactly why they work.

A PDF with a link to “reset your password” can slide past controls that heavily scrutinize:

  • Office macros
  • Executable attachments
  • Known malware families

And if the link routes through a shortener and one or two redirect domains, many gateways lose context. The phishing email isn’t asking the victim to open a malicious file that drops malware. It’s asking them to click.

Snippet-worthy reality: Credential phishing succeeds when defenders only inspect the first hop.

The pivot: from compromised routers to tunneling platforms

One of the more interesting operational shifts was BlueDelta’s move away from compromised routers (previously used to host scripts handling credential capture and 2FA/CAPTCHA) toward tunneling services like ngrok and Serveo.

That change tracks with the pressure campaigns and infrastructure disruptions reported in early 2024. It’s a predictable adaptation:

  • Routers get burned and cleaned.
  • Free tunnels are easy to spin up again.
  • Traffic blends into legitimate developer and IT usage.

Defensively, that creates an uncomfortable trade-off: you can’t just “block the bad IP” if the service is shared and legitimately used.

Where AI-driven cybersecurity wins (and where it doesn’t)

AI doesn’t magically stop phishing. What it does well is connect weak signals into a strong verdict—fast enough to matter.

If you’re building (or buying) an AI-driven detection stack, this campaign maps neatly to four detection surfaces.

1) AI in email security: catching the lure patterns

A PDF may be clean, but its intent often isn’t.

AI models can flag phishing PDFs by combining features such as:

  • Language patterns common in account scare lures (“suspicious activity,” “verify,” “reset”) in Ukrainian/Russian/English variants
  • Unusual link structure: shorteners, multiple redirects, or mismatched brand domains
  • Sender/recipient relationship anomalies: first-time sender, new domain, odd reply-to
  • Burst patterns: similar PDFs sent to many recipients in a short window

The key is not just classifying a message as “phish,” but extracting indicators and intent automatically so downstream controls can act.

2) AI in web security: detecting the redirect chain, not just the destination

BlueDelta added extra redirect tiers specifically to hide the Mocky URL in email content.

This is where AI-assisted web controls shine:

  • Follow and score the full redirect chain in near real time
  • Detect brand impersonation on the landing page (visual similarity, DOM structure, form fields)
  • Identify newly registered or low-reputation redirect domains

A strong approach is to score a session using multiple factors:

  • First-seen domain age
  • Presence of credential form fields
  • Submission endpoints pointing to tunnels or high ports
  • Mismatch between page theme (UKR.NET login) and hosting context (free API page host)

3) AI in identity security: spotting takeover behavior post-phish

Even if a user falls for the lure, the next step is where you can still win.

Identity-focused AI can detect:

  • Impossible travel and abnormal geo for a user
  • Logins from proxy/tunneling egress patterns
  • Abnormal MFA behavior (new device + successful MFA immediately after email click)
  • “Low-and-slow” mailbox access consistent with espionage (searching, rules creation, export attempts)

The practical goal is to trigger step-up auth, session revocation, or an incident workflow before mailbox data is harvested.

4) AI in threat intelligence ops: turning reporting into enforcement

This campaign included rich infrastructure patterns: repeated use of specific free services and consistent multi-tier chains.

AI helps by automating the boring but critical work:

  • Clustering related domains and URLs by shared infrastructure traits
  • Enriching IOCs with “what else looks like this?” queries
  • Generating block/allow recommendations based on business context

I’ve found that the best security teams treat threat intel as a control system, not a reading list. AI makes that feasible at enterprise scale.

A useful rule: If your threat intel process ends with “we sent an email to IT,” you don’t have a process—you have a hope.

A practical defense plan for enterprises (built for this attack chain)

You don’t need a perfect stack. You need a plan that breaks the chain in multiple places.

Email and user layer (reduce clicks)

  • Quarantine or detonate PDFs with embedded links when the email claims security urgency
  • Add banners and user prompts when messages contain shortened URLs
  • Train users on a simple behavior: never reset passwords from an attachment link; navigate via known bookmarks

Web and network layer (reduce successful submissions)

  • Monitor or restrict access to free hosting and tunneling services when not required (common examples include API page hosts and port-forwarding services)
  • Alert on outbound traffic to unusual high ports associated with proxy relays
  • Detect lookalike login portals with brand/DOM similarity models

Identity layer (reduce time-to-containment)

  • Enforce phishing-resistant MFA for high-risk roles (security keys or platform authenticators)
  • Enable conditional access policies that challenge:
    • New device + new geo
    • New IP reputation / proxy egress
    • Immediately-after-click login behavior
  • Automate response: revoke sessions, reset credentials, force re-enrollment of MFA

Incident response layer (assume compromise happens)

Credential campaigns like this are persistent. Your IR plan should assume you’ll have at least one success case.

Minimum playbook steps:

  1. Disable account and revoke active sessions
  2. Reset password and rotate recovery methods
  3. Review mailbox rules/forwarders and OAuth grants
  4. Hunt for lateral impact (shared inboxes, delegated access, VPN reuse)
  5. Add detections around the exact lure and redirect artifacts observed

“People also ask” security questions (answered directly)

Can attackers really bypass MFA with phishing?

Yes. If a phish captures the one-time code in real time (or relays the login through a proxy), MFA can be satisfied by the attacker. Phishing-resistant MFA reduces this risk substantially.

Why do attackers use ngrok-like tunnels?

Tunnels hide the real server, rotate easily, and blend into normal traffic because many legitimate IT teams use the same services.

What’s the fastest win if we can’t block every free service?

Prioritize identity detections and response automation: risky sign-ins, session revocation, and rapid containment after a suspected credential submission.

Where this is heading in 2026

BlueDelta’s campaign is likely a preview of what more teams will face: long-running credential operations that behave like a product, not a one-off attack.

Expect more of the same patterns:

  • More redirect layers to defeat URL analysis
  • More use of shared cloud and free web services
  • More focus on MFA capture and session-based access

AI in cybersecurity isn’t about replacing analysts. It’s about making sure analysts aren’t the bottleneck when the attacker can spin up a new domain in minutes.

If you’re evaluating AI-driven threat detection, use this campaign as a litmus test: Can your controls connect a phishing PDF, a suspicious redirect chain, and an anomalous login into one incident—automatically? If not, you’re leaving the door open for exactly the kind of persistent credential theft that fuels espionage operations.

Want to stress-test your environment against campaigns like BlueDelta’s? Start by mapping your telemetry across email, web, and identity—and identify where you’re blind when the “payload” is simply a login page.