Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A Russian State-Sponsored Hacking Group Exploits Vulnerabilities in Webmail Software to Steal Confidential Data



A Russian state-sponsored hacking group has been linked to a series of cyber espionage operations targeting webmail servers in Eastern Europe, Africa, Europe, and South America. The malicious activities exploit XSS vulnerabilities in Horde, MDaemon, and Zimbra, allowing the threat actor to steal confidential data from specific email accounts.

  • Russia-linked threat actor APT28 (also known as BlueDelta) has been linked to a series of cyber espionage operations targeting webmail servers.
  • The operation, codenamed Operation RoundPress, began in 2023 and aims to steal confidential data from specific email accounts.
  • The attacks exploit XSS vulnerabilities in Horde, MDaemon, and Zimbra to execute arbitrary JavaScript code.
  • Most victims are governmental entities and defense companies in Eastern Europe, Africa, Europe, and South America.
  • A majority of targets have been found to be Ukrainian governmental entities or defense companies.
  • The threat actor uses spear-phishing emails and similarities in server configuration to overlap with other campaigns.
  • CVE-2023-43770 was added to the US CISA's Known Exploited Vulnerabilities catalog, and MDaemon XSS vulnerability is assessed to be a zero-day.



    • Russia-Linked APT28, a threat actor also known as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, has been linked to a series of cyber espionage operations targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities. The malicious activities were codenamed Operation RoundPress by Slovak cybersecurity company ESET.

    The Operation RoundPress campaign began in 2023 and has been attributed to Russia with medium confidence, according to ESET researcher Matthieu Faou. The ultimate goal of this operation is to steal confidential data from specific email accounts, with most victims being governmental entities and defense companies in Eastern Europe, Africa, Europe, and South America.

    In June 2023, Recorded Future detailed the threat actor's abuse of multiple flaws in Roundcube (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to conduct reconnaissance and data gathering. Since then, other threat actors like Winter Vivern and UNC3707 (aka GreenCube) have also targeted email solutions, including Roundcube in various campaigns over the years.

    The ties of Operation RoundPress to APT28 stem from overlaps in the email address used to send spear-phishing emails and similarities in the way certain servers were configured. A majority of the targets of the campaign in 2024 have been found to be Ukrainian governmental entities or defense companies in Bulgaria and Romania, some of which are producing Soviet-era weapons to be sent to Ukraine.

    Other targets include government, military, and academic organizations in Greece, Cameroon, Ecuador, Serbia, and Cyprus. The attacks entail the exploitation of XSS vulnerabilities in Horde, MDaemon, and Zimbra to execute arbitrary JavaScript code in the context of the webmail window.

    CVE-2023-43770 was added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog in February 2024. The MDaemon XSS vulnerability is assessed to have been used by the threat actor as a zero-day, assigned the CVE identifier CVE-2024-11182 (CVSS score: 5.3), and was patched in version 24.5.1 last November.

    "Sednit sends these XSS exploits by email," Faou said. "The exploits lead to the execution of malicious JavaScript code in the context of the webmail client web page running in a browser window. Therefore, only data accessible from the victim's account can be read and exfiltrated."

    However, for the exploit to be successful, the target must be convinced to open the email message in the vulnerable webmail portal, assuming it's able to bypass the software's spam filters and land on the user's inbox. The contents of the email themselves are innocuous, as the malicious code that triggers the XSS flaw resides within the HTML code of the email message's body and, therefore, is not visible to the user.

    Successful exploitation leads to the execution of an obfuscated JavaScript payload named SpyPress that comes with the ability to steal webmail credentials and harvest email messages and contact information from the victim's mailbox. The malware, despite lacking a persistence mechanism, gets reloaded every time the booby-trapped email message is opened.

    "In addition, we detected a few SpyPress.ROUNDCUBE payloads that have the ability to create Sieve rules," ESET said. "SpyPress.ROUNDCUBE creates a rule that will send a copy of every incoming email to an attacker-controlled email address. Sieve rules are a feature of Roundcube and therefore the rule will be executed even if the malicious script is no longer running."

    The gathered information is subsequently exfiltrated via an HTTP POST request to a hard-coded command-and-control (C2) server. Select variants of the malware have also been found to capture login history, two-factor authentication (2FA) codes, and even create an application password for MDAEMON to retain access to the mailbox even if the password or the 2FA code gets changed.

    "Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern," Faou said. "Because many organizations don't keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft."



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Russian-State-Sponsored-Hacking-Group-Exploits-Vulnerabilities-in-Webmail-Software-to-Steal-Confidential-Data-ehn.shtml

  • https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html

  • https://nvd.nist.gov/vuln/detail/CVE-2020-12641

  • https://www.cvedetails.com/cve/CVE-2020-12641/

  • https://nvd.nist.gov/vuln/detail/CVE-2020-35730

  • https://www.cvedetails.com/cve/CVE-2020-35730/

  • https://nvd.nist.gov/vuln/detail/CVE-2021-44026

  • https://www.cvedetails.com/cve/CVE-2021-44026/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-43770

  • https://www.cvedetails.com/cve/CVE-2023-43770/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-11182

  • https://www.cvedetails.com/cve/CVE-2024-11182/

  • https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/

  • https://www.logpoint.com/en/blog/emerging-threats/forest-blizzard/

  • https://cybergeist.io/profile/frozenlake

  • https://attack.mitre.org/groups/G0007/

  • https://thehackernews.com/2023/12/russian-apt28-hackers-targeting-13.html

  • https://www.ibm.com/think/x-force/itg05-leverages-malware-arsenal

  • https://gbhackers.com/ta422-hackers-attack-organizations/

  • https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/

  • https://attack.mitre.org/groups/G1035/


    • Published: Thu May 15 06:32:51 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us