Russia's Fancy Bear APT, connected to the GRU, is ramping up its credential harvesting operations targeting organizations in the Balkans, Middle East, and Central Asia. Despite its past notoriety for complex cyberattacks, Fancy Bear has shifted to simpler, cost-effective methods that rely heavily on spear phishing. These tactics have proven effective, offering better returns compared to more elaborate malware attacks. Recorded Future's analysis highlights that from February to September 2025, Fancy Bear's recent campaigns have focused on specific organizations, using basic phishing pages and readily available infrastructure. The group’s recent targets include an IT integrator in Uzbekistan, a military organization in North Macedonia, and a European think tank. The targeting strategy appears fragmented at first glance but aligns with Russia's geopolitical and military interests. Some targets may serve as stepping stones to access higher-value organizations. For example, previous credential-harvesting campaigns have targeted lesser-known entities that later revealed connections to more significant strategic interests. This broader intelligence effort suggests that many more victims may exist beyond those currently identified. The article emphasizes that Fancy Bear's approach reflects a calculated evolution in intelligence gathering. By minimizing the use of unique malware and relying on widely available tools, the group reduces its visibility and operational costs. Their methods, such as using commercial VPNs and free hosting services, make it harder for defenders to trace attacks. This evolution prioritizes persistence and scalability while avoiding the attention often drawn by more sophisticated operations.