Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.