"##delta ’ s spearphishing tradecraft, with the group adopting new lure themes, multi - stage redirection chains, and enhanced credential - harvesting mechanisms. each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflectin…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.001Spearphishing Attachment
91%
"0dc416aeb9c4 " > < / head > < body > < object data = " hxxps : / / www [. ] grc [. ] net / documents / 68527c604ba00strategicandpoliticalimplicationsforisraelandiran2 [. ] pdf " type = " application / pdf " style = " min - height : 100vh ; width : 100 % " > < / object > < / body …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
73%
"' s armed forces ( gru ). also known as apt28, fancy bear, and forest blizzard, the group has carried out credential - harvesting and espionage operations for more than a decade. this campaign overlaps with activity previously attributed by insikt group to bluedelta, which multip…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.003Web Portal Capture
68%
"at the url hxxps : / / webhook [. ] site / 3791f8c0 - 1308 - 4c5b - 9c82 - 0dc416aeb9c4, which hosts a spoofed owa login page as shown in figure 1. the page ' s structure is very similar to that of previous bluedelta credential - harvesting pages, but the theme has been updated t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1598.003Spearphishing Link
52%
"##delta ’ s spearphishing tradecraft, with the group adopting new lure themes, multi - stage redirection chains, and enhanced credential - harvesting mechanisms. each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflectin…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1598.002Spearphishing Attachment
34%
"cooperation, and government communication networks relevant to russian intelligence priorities. bluedelta ’ s credential - harvesting pages impersonated a range of legitimate webmail and vpn services, including microsoft outlook web access ( owa ), google, and sophos vpn portals.…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1598.002Spearphishing Attachment
33%
"##delta expanded its credential - harvesting operations throughout 2025, deploying new campaigns themed as microsoft outlook web access ( owa ), google, and sophos vpn login portals. the group leveraged a combination of free hosting and tunneling services, including webhook [. ] …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1598Phishing for Information
32%
"##delta expanded its credential - harvesting operations throughout 2025, deploying new campaigns themed as microsoft outlook web access ( owa ), google, and sophos vpn login portals. the group leveraged a combination of free hosting and tunneling services, including webhook [. ] …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Insikt Group reveals how GRU-linked BlueDelta evolved credential-harvesting campaigns targeting government, energy, and research organizations across Europe and Eurasia.