APT28 UKR.net credential-harvesting campaign
Campaign
Summary
Hide ▲
Show ▼
The APT28 operation intensified a sustained credential-harvesting campaign against UKR[.]net users in Ukraine, increasing the risk of stolen logins and 2FA codes. The activity ran from June 2024 to April 2025 and used phishing emails with PDFs linking to UKR[.]net-themed login pages. The infrastructure relied on Mocky, Blogger subdomains, and link shorteners such as tiny[.]cc and tinyurl[.]com to conceal the capture flow.
Related Happenings
PLUGGYAPE backdoor targets Ukrainian defense forces via Signal and WhatsApp lures
Malware Activity
First: 14.01.2026 07:48
Last: 14.01.2026 07:48
Sources 1
About this happening:
**CERT-UA** disclosed **PLUGGYAPE** attacks targeting **Ukrainian defense forces** between **October and December 2025**, showing an active backdoor operation with real operationa...
PLUGGYAPE backdoor targets Ukrainian defense forces via Signal and WhatsApp lures
Malware ActivityAbout this happening: **CERT-UA** disclosed **PLUGGYAPE** attacks targeting **Ukrainian defense forces** between **October and December 2025**, showing an active backdoor operation with real operationa...
Ukraine's Defense Forces charity-themed PluggyApe campaign
Campaign
First: 14.01.2026 01:03
Last: 14.01.2026 01:03
Sources 1
About this happening:
**Ukraine's Defense Forces** were targeted in a **charity-themed campaign** that delivered the **PluggyApe** backdoor, creating a focused **October to December 2025** operation ag...
Ukraine's Defense Forces charity-themed PluggyApe campaign
CampaignAbout this happening: **Ukraine's Defense Forces** were targeted in a **charity-themed campaign** that delivered the **PluggyApe** backdoor, creating a focused **October to December 2025** operation ag...
Latest development: 14.01.2026 07:48
CERT-UA attributed PLUGGYAPE attacks on Ukrainian defense forces to Void Blizzard with medium confidence, saying the operators used Signal and WhatsApp charity lures, password-protected archives, and a PyInstaller-built executable that deployed a Python backdoor communicating over WebSocket or MQTT.
Blind Eagle TAG-144 five-cluster campaign targeting Colombia
Campaign
First: 27.08.2025 12:28
Last: 27.08.2025 12:28
Sources 1
About this happening:
**Blind Eagle** ran a persistent **five-cluster campaign** from **May 2024 to July 2025**, keeping **Colombian government entities** and other South American sectors in scope and...
Blind Eagle TAG-144 five-cluster campaign targeting Colombia
CampaignAbout this happening: **Blind Eagle** ran a persistent **five-cluster campaign** from **May 2024 to July 2025**, keeping **Colombian government entities** and other South American sectors in scope and...
Lovable services phishing and malware-distribution campaign
Campaign
First: 20.08.2025 16:01
Last: 20.08.2025 16:01
Sources 1
About this happening:
The abuse of **Lovable services** has fueled **numerous campaigns** that distribute **MFA phishing kits**, **malware loaders**, and scam sites, raising the risk of **credential th...
Lovable services phishing and malware-distribution campaign
CampaignAbout this happening: The abuse of **Lovable services** has fueled **numerous campaigns** that distribute **MFA phishing kits**, **malware loaders**, and scam sites, raising the risk of **credential th...
Timeline
-
17.12.2025 17:30 2 articles · 5mo ago
APT28 UKR.net credential-harvesting campaign
Initial DisclosureThe campaign first surfaced as a **June 2024** phishing effort that used PDF attachments to direct victims to **UKR[.]net-themed login pages**. Early handling of the stolen credentials relied on web links and redirection infrastructure designed to hide the capture path.
Show sources
- APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign — thehackernews.com — 17.12.2025 17:30
- APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign — thehackernews.com — 17.12.2025 17:30