Russia-backed hacking group APT28 is targeting mail servers to spy on governments and defense firms across Europe, Africa, and South America. The campaign began in September 2023 and remains active, according to new findings from cybersecurity firm ESET.
APT28 — also known as Fancy Bear and linked to the Russian military — is injecting malicious JavaScript into webmail platforms to steal sensitive information. This group has been active for years, but its latest operation, named RoundPress, is one of its most aggressive email-focused campaigns to date.
The attack begins with a crafted email that contains an exploit. Once a user opens the email in a vulnerable webmail client, malicious JavaScript runs in their browser. This lets hackers steal credentials, messages, and contact lists — all without needing full system access.
In the first wave of attacks, APT28 used a known bug in Roundcube mail (CVE-2020-35730). The flaw allows remote scripts to run in the user’s browser. In 2024, they added more targets: Horde, Zimbra, and MDaemon. Some of these servers were hit using fresh vulnerabilities, including one zero-day in MDaemon (CVE-2024-11182).
Each payload is tailored to the mail system it targets. ESET calls this spyware package SpyPress. Once triggered, the code can create mail rules, redirect messages, harvest credentials, and even bypass two-factor authentication in some cases.APT28 has been focusing on organizations linked to the war in Ukraine. This includes government offices and defense firms in countries like Bulgaria and Romania. But the threat doesn’t stop there — agencies in South America and Africa have also been compromised.
France recently accused APT28 of breaching over a dozen national institutions. The group was also behind the high-profile attack on TV5Monde a decade ago.
Experts warn that many webmail servers remain outdated and unpatched. That makes them easy targets for attackers who only need to get one email past spam filters. If the victim opens it, their inbox becomes vulnerable.
Webmail clients like Roundcube and Zimbra are especially at risk. According to ESET, these platforms have become popular targets for state-backed hacking groups because they’re often neglected when it comes to patching.
