The Russian GRU-backed threat actor APT28 has been ascribed as conducting a series of attacks targeting networks throughout Europe with the HeadLace malware and credential-harvesting web sites.
APT28, also known by the aliases BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) organization connected with Russia's strategic military intelligence arm, the GRU.
The hacking crew operates with a high level of stealth and sophistication, often demonstrating their adaptability through deep preparedness and custom tooling, and relying on legitimate internet services (LIS) and living off-the-land binaries (LOLBins) to conceal their operations within regular network traffic.
"From April to December 2023, BlueDelta deployed Headlace malware in three distinct phases using geofencing techniques to target networks throughout Europe with a heavy focus on Ukraine," Recorded Future's Insikt Group claimed.
"BlueDelta's espionage activities reflect a broader strategy aimed at gathering intelligence on entities with military significance to Russia in the context of its ongoing aggression against Ukraine."
HeadLace, as previously observed by the Computer Emergency Response Team of Ukraine (CERT-UA), Zscaler, Proofpoint, and IBM X-Force, is delivered by spear-phishing emails containing malicious URLs that, when opened, launch a multi-stage infection process to drop the malware.
BlueDelta is alleged to have leveraged a seven-stage infrastructure chain during the first phase to deploy a malicious Windows BAT script (i.e., HeadLace) that's capable of downloading and performing follow-on shell commands, subject to sandbox and geofencing checks.
The second phase, which begun on September 28, 2023, is significant for employing GitHub as the starting point of the redirection architecture, while the third phase moved to using PHP scripts hosted on InfinityFree beginning October 17, 2023.
"The last detected activity in phase three was in December2023," the corporation added. "Since then, BlueDelta likely ceased using InfinityFree hosting and favored hosting infrastructure on webhook[.]site and mocky[.]io directly."
BlueDelta has also been reported to execute credential harvesting operations aimed to target sites like Yahoo! and UKR[.]net by presenting lookalike pages and eventually fool users into inputting their credentials.
Another solution required establishing specialized web pages on Mocky that communicate with a Python script running on hacked Ubiquiti routers to exfiltrate the input credentials. Earlier in February, a U.S.-led law enforcement operation broke a botnet of Ubiquiti EdgeRouters that was put to use by APT28 for this reason.
Targets of the credential harvesting activities included the Ukrainian Ministry of Defence, Ukrainian arms import and export enterprises, European railway infrastructure, and a research tank situated in Azerbaijan.
"Successfully infiltrating networks associated with Ukraine's Ministry of Defence and European railway systems could allow BlueDelta to gather intelligence that potentially shapes battlefield tactics and broader military strategies," Recorded Future warned.
"Moreover, BlueDelta's interest in the Azerbaijan Center for Economic and Social Development suggests an agenda to understand and possibly influence regional policies."
The finding comes as another state-sponsored Russian threat organization named Turla has been spotted utilizing human rights seminar invitations as phishing email decoys to execute a payload identical to the TinyTurla backdoor using the Microsoft Build Engine (MSBuild).