- Explore Cisco IOS XE Automation at Cisco Live US 2025
- My top 5 picks for the best Memorial Day phone deals so far: Apple, Samsung, and more
- This smart ring is half the price of Oura Ring 4 and has no subscriptions - here's how it competes
- I highly recommend shopping these early health tracker Memorial Day deals
- The most reliable smart lock I've tested just hit one of its lowest prices ever
Russian Espionage Operation Targets Organizations Tied to Ukraine War
A new cyber espionage operation conducted by Russian hackers associated with the Kremlin is aiming to steal confidential data from organizations linked to the war in Ukraine.
Operation RoundPress, as ESET named it in a report on May 15, 2025, is a large-scale cyber espionage campaign conducted by Fancy Bear, which began at least as early as 2023.
Its primary targets are Ukrainian governmental entities or defense companies in Bulgaria and Romania, some of which are producing Soviet-era weapons to be sent to Ukraine. ESET has also observed governments in Africa, Europe and South America being targeted.
Its primary goal is to steal confidential data from specific email accounts.
Inside Operation RoundPress
In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
In 2024, ESET observed different cross-site scripting (XSS) vulnerabilities being exploited to target additional webmail software, including Roundcube, Horde, MDaemon and Zimbra.
Upon investigating some of these exploits, the researchers found that Fancy Bear typically delivers these XSS exploits via email, allowing malicious JavaScript code to run within the webmail client’s browser context, potentially exposing data accessible to the target’s account.
“In order for the exploit to work, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and the subject line needs to be convincing enough to entice the target into reading the email message — abusing well-known news media such as Ukrainian news outlet Kyiv Post or Bulgarian news portal News.bg,” wrote the ESET researchers.
Among the subject lines used in the spearphishing emails were: “SBU arrested a banker who worked for enemy military intelligence in Kharkiv” and “Putin seeks Trump’s acceptance of Russian conditions in bilateral relations”.
Then, the attackers unleash a series of JavaScript payloads, such as SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE and SpyPress.ZIMBRA. These can steal login credentials, exfiltrate email data and sometimes compromise two-factor authentication (2FA), enabling sustained access to victim mailboxes.
After focusing solely on Roundcube in 2023, Fancy Bear expanded to the other three webmail services in 2024.
“The MDaemon vulnerability – CVE-2024-11182, now patched – was a zero day, most likely discovered by the threat group, while the ones for Horde, Roundcube and Zimbra were older, already known flaws [that had been] patched,” said ESET researcher Matthieu Faou, who discovered and investigated Operation RoundPress.
More recently, the group also started to exploit a more recent vulnerability in Roundcube, CVE-2023-43770.
“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups, including [Fancy Bear], GreenCube and Winter Vivern. Because many organizations don’t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft,” explains Faou.
In its report, ESET provided an analysis of the four JavaScript payloads.
Who is Behind Fancy Bear?
Fancy Bear is a Russian cyber espionage group known by many other names, including Sednit, APT28, Pawn Storm, Forest Blizzard and Sofacy Group. The group has been active since 2004 and is believed to be affiliated with the Russian military intelligence agency (GRU).
In 2018, an indictment by the US Special Counsel identified Fancy Bear as GRU Unit 26165.
The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections. The group is also presumed to be behind the hacking of the global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents.
Read now: Russia-Backed APT28 Tried to Attack a Ukrainian Critical Power Facility
