Fancy Bear’s Email Heist: How APT28 is Outfoxing Governments with RoundPress
Hackers are running a cyberespionage campaign called RoundPress. This operation exploits webmail server flaws to steal emails from governments and military units. APT28 is suspected to be behind this, using spear-phishing emails with malicious JavaScript payloads. Just opening the email can trigger the attack—no need to click anything.
Hot Take:
It looks like Fancy Bear has decided to go on a worldwide email scavenger hunt, and they’ve put on their best trench coats and dark sunglasses to do it. This time, they’re diving into inboxes like they’re trying to find Waldo, but instead of a striped shirt, they’re after state secrets. Who knew email could be this exciting? It’s like a game of digital Where’s Waldo, but with more espionage and less fun for the victims!
Key Points:
- APT28, known as “Fancy Bear,” is behind a cyberespionage campaign dubbed ‘RoundPress’ targeting webmail servers.
- The campaign exploits both zero-day and n-day vulnerabilities, focusing on Roundcube, Horde, MDaemon, and Zimbra platforms.
- Spear-phishing emails with malicious JavaScript trigger exploitation of XSS vulnerabilities, requiring victims to merely open the email.
- The campaign targets high-value government and military organizations, as well as critical infrastructure in various countries.
- No RoundPress activity reported for 2025, but the hackers’ methods remain applicable due to ongoing XSS vulnerabilities.