A Russian-linked threat actor, attributed with medium confidence to APT28, is conducting cyber espionage by exploiting vulnerabilities in webmail servers such as Roundcube, Horde, MDaemon, and Zimbra. The operation, called Operation RoundPress, mainly targets governmental and defense organizations across Eastern Europe, Africa, and South America.
Affected: government entities, defense companies, military and academic organizations
Affected: government entities, defense companies, military and academic organizations
Keypoints
- Cyber espionage campaign targets webmail servers using cross-site scripting (XSS) vulnerabilities.
- The threat actor exploits both known and zero-day vulnerabilities to steal sensitive data.
- Operation primarily targets governmental and defense organizations in multiple regions.
- Malicious emails contain obfuscated JavaScript payloads like SpyPress for credential theft and mailbox harvesting.
- Vulnerabilities in webmail software remain attractive targets due to ease of remote exploitation and lack of updates.
Read More: https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html