{ "id": "cd9bca52-e467-4a96-87f5-04ac5bb1bc54", "created_at": "2026-04-06T01:30:32.078956Z", "updated_at": "2026-04-10T13:12:20.720014Z", "deleted_at": null, "sha1_hash": "65f59282daed6612b2ef8710b07adc18a899dd19", "title": "GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Camp | Recorded Future", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 644195, "plain_text": "GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Camp | Recorded Future\r\nBy Insikt Group®\r\nArchived: 2026-04-06 00:44:20 UTC\r\nPUBLISHED ON 30 MAY 2024\r\nInsikt Group®\r\nInsikt Group tracks the evolutions of GRU's BlueDelta operational infrastructure, targeting networks across\r\nEurope with information-stealing Headlace malware and credential-harvesting web pages. BlueDelta deployed\r\nHeadlace infrastructure in three distinct phases from April to December 2023, using phishing, compromised\r\ninternet services, and living off the land binaries to extract intelligence. Credential harvesting pages targeted\r\nUkraine's Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank, reflecting a\r\nbroader Russian strategy to influence regional and military dynamics.\r\nGRU's BlueDelta Espionage Campaigns Across Europe\r\nRussia’s strategic military intelligence unit, the GRU, continues to conduct sophisticated cyber-espionage\r\noperations as geopolitical tensions persist. Insikt Group’s latest findings highlight the actions of BlueDelta, which\r\nhas systematically targeted key networks across Europe using custom malware and credential harvesting.\r\nFrom April to December 2023, BlueDelta deployed Headlace malware in three distinct phases using geofencing\r\ntechniques to target networks throughout Europe with a heavy focus on Ukraine. Headlace malware is deployed\r\nusing phishing emails, sometimes mimicking legitimate communications to increase effectiveness. BlueDelta\r\nexploits legitimate internet services (LIS) and living off-the-land binaries (LOLBins), further disguising their\r\nhttps://www.recordedfuture.com/research/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp\r\nPage 1 of 2\n\noperations within regular network traffic. This sophistication makes detection difficult, increasing BlueDelta’s\r\nsuccess when compromising networks.\r\nOne notable aspect of BlueDelta’s operations is its focus on credential harvesting pages. Targeting services like\r\nYahoo and UKR[.]net, it employs advanced functions capable of relaying two-factor authentication and\r\nCAPTCHA challenges. Recent operations have targeted the Ukrainian Ministry of Defence, Ukrainian weapons\r\nimport and export companies, European railway infrastructure, and a think tank based in Azerbaijan.\r\nSuccessfully infiltrating networks associated with Ukraine’s Ministry of Defence and European railway systems\r\ncould allow BlueDelta to gather intelligence that potentially shapes battlefield tactics and broader military\r\nstrategies. Moreover, BlueDelta’s interest in the Azerbaijan Center for Economic and Social Development\r\nsuggests an agenda to understand and possibly influence regional policies.\r\nFor organizations within government, military, defense, and related sectors, the rise of BlueDelta’s activities is a\r\ncall to bolster cybersecurity measures: prioritizing the detection of sophisticated phishing attempts, restricting\r\naccess to non-essential internet services, and enhancing surveillance of critical network infrastructure. Continuous\r\ncybersecurity training to recognize and respond to advanced threats is essential to defend against such state-level\r\nadversaries.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp\r\nhttps://www.recordedfuture.com/research/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.recordedfuture.com/research/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp" ], "report_names": [ "grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439032, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/65f59282daed6612b2ef8710b07adc18a899dd19.pdf", "text": "https://archive.orkl.eu/65f59282daed6612b2ef8710b07adc18a899dd19.txt", "img": "https://archive.orkl.eu/65f59282daed6612b2ef8710b07adc18a899dd19.jpg" } }