GRU-Linked BlueDelta Evolves Credential Harvesting

    Friday, January 23, 2026 In: Threat Research Print

    Date: 01/23/2026

    Severity: High

    Summary: Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims. Targets included individuals associated with a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and region-specific lure materials indicates deliberate tailoring to enhance credibility. Overall targeting reflects sustained interest in energy research, defense collaboration, and government communication networks aligned with Russian intelligence priorities.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc

    https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc/ald.php

    https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv

    https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv/ald.php

    https://config-settings.kesug.com/sogfdshxncvsad

    https://config-settings.kesug.com/sogfdshxncvsad/npp.php

    https://d3ef-2804-37f8-400-2cbf-4996-e46a-4802-5c08.ngrok-free.app

    https://shorturl.at/Be4Xe

    https://webhook.site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4

    https://webhook.site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7

    https://webhook.site/ff237e88-cbaf-4b0b-b787-6e2f1f2c926f

    account-security-googie.my-board.org

    account-security-googie.rf.gd

    account-settings-shsvchx.wuaze.com

    config-settings.kesug.com

    enmrgkf41bifd.x.pipedream.net

    IP Address : 

    172.111.206.103

    185.27.134.125

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv" or url like "https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv" or siteurl like "https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv" or domainname like "https://config-settings.kesug.com/sogfdshxncvsad/npp.php" or url like "https://config-settings.kesug.com/sogfdshxncvsad/npp.php" or siteurl like "https://config-settings.kesug.com/sogfdshxncvsad/npp.php" or domainname like "account-security-googie.my-board.org" or url like "account-security-googie.my-board.org" or siteurl like "account-security-googie.my-board.org" or domainname like "https://webhook.site/ff237e88-cbaf-4b0b-b787-6e2f1f2c926f" or url like "https://webhook.site/ff237e88-cbaf-4b0b-b787-6e2f1f2c926f" or siteurl like "https://webhook.site/ff237e88-cbaf-4b0b-b787-6e2f1f2c926f" or domainname like "https://d3ef-2804-37f8-400-2cbf-4996-e46a-4802-5c08.ngrok-free.app" or url like "https://d3ef-2804-37f8-400-2cbf-4996-e46a-4802-5c08.ngrok-free.app" or siteurl like "https://d3ef-2804-37f8-400-2cbf-4996-e46a-4802-5c08.ngrok-free.app" or domainname like "https://config-settings.kesug.com/sogfdshxncvsad" or url like "https://config-settings.kesug.com/sogfdshxncvsad" or siteurl like "https://config-settings.kesug.com/sogfdshxncvsad" or domainname like "https://webhook.site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4" or url like "https://webhook.site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4" or siteurl like "https://webhook.site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4" or domainname like "enmrgkf41bifd.x.pipedream.net" or url like "enmrgkf41bifd.x.pipedream.net" or siteurl like "enmrgkf41bifd.x.pipedream.net" or domainname like "https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv/ald.php" or url like "https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv/ald.php" or siteurl like "https://account-settings-shsvchx.wuaze.com/sidsixcnvxcucxv/ald.php" or domainname like "config-settings.kesug.com" or url like "config-settings.kesug.com" or siteurl like "config-settings.kesug.com" or domainname like "https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc/ald.php" or url like "https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc/ald.php" or siteurl like "https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc/ald.php" or domainname like "account-settings-shsvchx.wuaze.com" or url like "account-settings-shsvchx.wuaze.com" or siteurl like "account-settings-shsvchx.wuaze.com" or domainname like "https://shorturl.at/Be4Xe" or url like "https://shorturl.at/Be4Xe" or siteurl like "https://shorturl.at/Be4Xe" or domainname like "account-security-googie.rf.gd" or url like "account-security-googie.rf.gd" or siteurl like "account-security-googie.rf.gd" or domainname like "https://webhook.site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7" or url like "https://webhook.site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7" or siteurl like "https://webhook.site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7" or domainname like "https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc" or url like "https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc" or siteurl like "https://account-settings-shsvchx.wuaze.com/uzdfbdhyzxjc"

    Detection Query 2 :

    dstipaddress IN ("185.27.134.125","172.111.206.103") or srcipaddress IN ("185.27.134.125","172.111.206.103")

    Reference:

    https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting


    Tags

    Threat ActorCredential HarvestingRunnerBeaconCredentialTheftTurkeyEuropeGovernment Services and FacilitiesEnergyNuclear Reactors

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.