APT28 credential-harvesting campaign against energy and regional targets
Campaign
Summary
Hide ▲
Show ▼
APT28 (BlueDelta) ran a credential-harvesting campaign that targeted a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan. The activity created a risk of credential theft for sensitive regional organizations and used fake Microsoft OWA, Google, and Sophos VPN pages to capture logins. The operation appeared in February and September 2025 and was tailored with Turkish-language lure material.
Related Happenings
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Bitter Middle East spear-phishing campaign targeting civil society figures
Campaign
First: 09.04.2026 13:45
Last: 09.04.2026 13:45
Sources 1
About this happening:
A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Bitter Middle East spear-phishing campaign targeting civil society figures
CampaignAbout this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Konni multi-stage KakaoTalk phishing campaign
Campaign
First: 17.03.2026 11:53
Last: 17.03.2026 11:53
Sources 1
About this happening:
The **Konni** operation is expanding through **spear-phishing** and abused **KakaoTalk** desktop accounts, increasing the chance that one compromise reaches multiple contacts. It...
Konni multi-stage KakaoTalk phishing campaign
CampaignAbout this happening: The **Konni** operation is expanding through **spear-phishing** and abused **KakaoTalk** desktop accounts, increasing the chance that one compromise reaches multiple contacts. It...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
Campaign
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
CampaignAbout this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Timeline
-
09.01.2026 17:28 1 articles · 4mo ago
APT28 credential-harvesting campaign against energy and regional targets
Initial DisclosureIn **February 2025** and again in **September 2025**, the operators used **fake login pages** and a **redirect-after-entry** flow to capture credentials from a small, targeted set of victims.
Show sources
- Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations — thehackernews.com — 09.01.2026 17:28