by Tim Leogrande, BSIT, MSCP, Ed.S.

31 JAN 2026 • 3 MIN 10 SEC READ

One of the world's most notorious threat actors has been carrying out seemingly simple, low-cost credential harvesting attacks against specific organizations in the Middle East, Europe, the Balkans, and Central Asia. This advanced persistent threat (APT), launched by the GRU-affiliated Russian cyber espionage group Fancy Bear, has been in use since as early as 2004.

During most of 2025, the APT targeted the login credentials of several global organizations by deploying slick web pages and off-the-shelf hardware. The attack is a form of spear phishing, highly targeted cyberattacks where malicious actors send personalized emails or SMS messages to specific individuals or organizations pretending to be a trusted source with the goal of tricking the target into revealing sensitive data, transferring money, or installing malware.

<aside> đź’ˇ

On the surface these campaigns appear simple, but they are a highly effective tool of state-sponsored cyber criminals and, in many cases, offer greater return on investment than more complex, malware-heavy operations.

</aside>

The most recent attacks began with emails themed to match the intended targets and written in their native language. When a victim clicked on an embedded link, they would be presented with a borrowed, legitimate PDF file from a relevant organization.

For example, the group targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. Next, they were redirected to a login web page mimicking a legitimate online service. After divulging their Sophos VPN, Google, or Microsoft Outlook credentials, victims were redirected to the legitimate service's identical login page to do it all over again, which they may have chalked up to a simple glitch.

Supporting this attack flow, Fancy Bear used a variety of bonafide hosted services, rather than its own custom tools and infrastructure. Any credentials it obtained were deployed to access the victims' email accounts or virtual private networks (VPNs), enabling intelligence gathering, lateral movement within their systems, and follow-on attacks against related targets of greater value.

The Fancy Bear logo. This state-sponsored Russian cyber espionage group is also known as APT28, Sofacy, **and GRU Unit 26165. The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the 2016 U.S. presidential election. The name Fancy Bear comes from a coding system CrowdStrike security researcher Dmitri Alperovitch uses to identify hackers.

The Fancy Bear logo. This state-sponsored Russian cyber espionage group is also known as APT28, Sofacy, **and GRU Unit 26165. The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the 2016 U.S. presidential election. The name Fancy Bear comes from a coding system CrowdStrike security researcher Dmitri Alperovitch uses to identify hackers.

Though there is nothing particularly innovative or original about these tactics, techniques, and procedures (TTPs)—especially for a well-resourced, highly capable state-level APT group—this could be by design. Credential-stealing campaigns rely on widely available Internet services, require minimal setup, and can be rapidly reconfigured or abandoned at little cost.

Using cheap, replaceable parts also helps Fancy Bear stay under the radar. These operations are typically accessed through commercial VPN services, and infrastructure is hosted on free platforms, making traditional attribution methods such as tracing server registrations or following financial trails far less effective.

So, cost savings aside, having no special malware, infrastructure, or techniques means that the threat actor limits technical fingerprints and shortens the window during which infrastructure needs to remain active. Rather than being a downgrade, this approach reflects a mature evolution of intelligence collection, prioritizing persistence, scalability, and deniability over complexity; often delivering more operational value than high-effort campaigns that quickly draw attention.

The other known targets of this most recent campaign include an IT integrator based in Uzbekistan, a European think tank, and a military organization in North Macedonia.

<aside> đź’ˇ

At first glance, this targeting can appear fragmented. But when viewed through a tradecraft lens, it is highly selective and consistent with GRU collection priorities. The targets almost always align with geopolitical, military, or strategic intelligence objectives rather than commercial or criminal goals.

</aside>

Importantly, some of these targets might only be stops on the way to bigger, more valuable prey. For example, the aforementioned Uzbek IT integrator. In previous campaigns, credential-harvesting pages targeted relatively small or obscure organizations that later proved to be linked to higher-value targets through travel, logistics, or supply chain relationships.

Most worryingly, there may be many more victims than we currently know about. So the activity we can observe should be considered a representative sample of a much broader intelligence collection effort, rather than isolated or opportunistic targeting.

© 2026 Tim Leogrande. Access the AI detection report for this post here.