Pulse Detail — Threat Intelligence

PULSE NAME

BlueDelta’s Persistent Campaign Against UKR.NET

WHITE APT28 AlienVault 2025-12-17 Modified: 2026-01-16

IOCs

HIGH VOLUME

Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1132.001 T1566.002 T1056.003 T1102 T1583.006 T1593 T1056.002 T1071.001

Indicators of Compromise (59)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	3d434157d91afd59e26db91483e7a56d	—	2025-12-17
FileHash-MD5	5ae39a1b39d45d08f947bdf0ee0452ae	—	2025-12-17
FileHash-MD5	68053622c5cb645676c534fea7c4642a	—	2025-12-17
FileHash-MD5	8b654832fbcf233f33e3cddef20a473a	—	2025-12-17
FileHash-SHA1	267e838ef339db2959c52cdc0bebb7e2e8c04b68	—	2025-12-17
FileHash-SHA1	5cc21e044124591cecc6d7ebf020018e894b2c6a	—	2025-12-17
FileHash-SHA1	a0dd8dcff49d57cfcb73bd206985f45db1483de4	—	2025-12-17
FileHash-SHA256	009440551eb6ea83da1a28361ebf44b3d022f204b99b82b83e266ec4807d18eb	—	2025-12-17
FileHash-SHA256	1919d9c67a9ce00382f65b4bc1e1d1f4e4c0b296bc20ca45ba8fef8c188138ec	—	2025-12-17
FileHash-SHA256	1a4c609fb75a54c7016736e471b6f92aaed7bb51257f3946e4ece9dd9125500c	—	2025-12-17
FileHash-SHA256	20a3bf615c257d0c79ed82c428c3c182298876e52356988dd72dc20b2f12a217	—	2025-12-17
FileHash-SHA256	2431578b5ba5a8569a689807bdb827e3d445a16cc013ed8eba7b7bfea661d76a	—	2025-12-17
FileHash-SHA256	2f8e8b2783c8c47da0f265199671f3cae4e31b2a03999fff12aa3090c74c7a51	—	2025-12-17
FileHash-SHA256	44935484933a13fb6632e8db92229cf1c5777333fa5a3c0a374b37428add69fb	—	2025-12-17
FileHash-SHA256	53142380d75e3f54490f2896b58f308e6b91bec841d09b4e88985cb5b7812031	—	2025-12-17
FileHash-SHA256	5fd8153dbb4620ab589aaa83815afce34135e5a0a5af10876fb3b0fff344c64b	—	2025-12-17
FileHash-SHA256	64b26a92652bfb67cbe18217b6508fce460eff859526b2e256d3f1b9eab338b0	—	2025-12-17
FileHash-SHA256	704b0a4f2f2195d22340471b9bdb06244047f7042728dd7f6aa6e3c5e30c9bc1	—	2025-12-17
FileHash-SHA256	86a9ca34790e219ddc371fa154c51a9a2930e2afdebf4fc0889d2ba94d6acfc1	—	2025-12-17
FileHash-SHA256	8b77e8199c61c0d97b7a40e35feedf21a168a62696b18bbb4d49766332c2c8a8	—	2025-12-17
FileHash-SHA256	8f1994f2474512430f7c998dc6c57d0fd215860a24b58f90325122bb6d8a224c	—	2025-12-17
FileHash-SHA256	95783d875ee50ef619f455a715150f414ed00157a6579ae6f73ccd72c394c5d8	—	2025-12-17
FileHash-SHA256	9f394a9cb2e54e7be10c41b997e7dc85b882c4c7dd203b6984ca2aea151a47b5	—	2025-12-17
FileHash-SHA256	be3cccc2c62c0033aebcf91a6587eb815a1994cf268c42cf92ed856b6cf556aa	—	2025-12-17
FileHash-SHA256	c0890f375af0f503c873878b1b09a1c5147b72ab38511d9911e847c10622c0aa	—	2025-12-17
FileHash-SHA256	c194f619d1ed73c0f0721d818564aa8238aceba94d1e721942c5cb67cbba68ff	—	2025-12-17
FileHash-SHA256	ce421ab3db97f4b68d6e688c8ad5a6bafe82612d23df3257128433578c3caffb	—	2025-12-17
FileHash-SHA256	f5d2edbf1af6bf7db3f29e77a99883e39b5bc4ec483af4de47e8a75574248649	—	2025-12-17
FileHash-SHA256	fa8a4d544ffb3ca9d51448772f478f303602023e0cd70af4b9f85d3b72b4cd27	—	2025-12-17
domain	doads.org	—	2025-12-17
domain	edfuture.com	—	2025-12-17
domain	element.id	—	2025-12-17
domain	linkcuts.com	—	2025-12-17
domain	linkcuts.org	—	2025-12-17
domain	talebco.ir	—	2025-12-17
domain	ukrainnet.com	—	2025-12-17
domain	ukrinet.com	—	2025-12-17
hostname	0592cc96ea.serveo.net	—	2025-12-17
hostname	232524f51a.serveo.net	—	2025-12-17
hostname	5ae39a1b39d45d08f947bdf0ee0452ae.serveo.net	—	2025-12-17
hostname	94c1bb7d4c.serveo.net	—	2025-12-17
hostname	chujdrtuityui.mydiscussion.net	—	2025-12-17
hostname	f0ee0452ae.serveo.net	—	2025-12-17
hostname	kfghjerrlknsm.line.pm	—	2025-12-17
hostname	tuyt8erti867i.synergize.co	—	2025-12-17
hostname	ukraine.html-5.me	—	2025-12-17
hostname	ukrainesafe.is-great.org	—	2025-12-17
hostname	ukrainesafeurl.talebco.ir	—	2025-12-17
hostname	un.mocky.io	—	2025-12-17
FileHash-MD5	47e811dbe2ed0ea8d506af94c1bb7d4c	—	2025-12-17
FileHash-MD5	6c7aa72bd5f1d30203b80596f926b2b7	—	2025-12-17
FileHash-MD5	73ce1aae8a9ba738b91040232524f51a	—	2025-12-17
FileHash-MD5	92ace7e653e9c32d2af9700592cc96ea	—	2025-12-17
FileHash-MD5	d7763713839aaf61dd299a55da3aad76	—	2025-12-17
hostname	47e811dbe2ed0ea8d506af94c1bb7d4c.serveo.net	—	2025-12-17
hostname	6c7aa72bd5f1d30203b80596f926b2b7.serveo.net	—	2025-12-17
hostname	73ce1aae8a9ba738b91040232524f51a.serveo.net	—	2025-12-17
hostname	92ace7e653e9c32d2af9700592cc96ea.serveo.net	—	2025-12-17
hostname	d7763713839aaf61dd299a55da3aad76.serveo.net	—	2025-12-17

References (1)

↗ https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet