A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The phishing pages employ blurred background images and complex password validation mechanisms. Stolen credentials are sent to a third-party service, even if they don't meet the specified complexity requirements. This campaign has been active since at least 2023, with various lures tailored to specific government targets in countries such as Moldova, Ukraine, Lithuania, Bosnia and Herzegovina, Macedonia, Montenegro, Spain, and Bulgaria.