Operation RoundPress targeting high-value webmail servers
May 21, 2025, 9:50 p.m.
Description
ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023, the operation expanded to include Horde, MDaemon, and Zimbra in 2024. The attackers exploit various vulnerabilities, including a zero-day in MDaemon, to inject malicious JavaScript code into victims' webmail pages. Targets include governmental entities and defense companies in Eastern Europe, with some victims in Africa, Europe, and South America. The malware, known as SpyPress, can steal webmail credentials, exfiltrate contacts and email messages, and in some cases, bypass two-factor authentication.
Tags
Date
- Created: May 18, 2025, 5:59 a.m.
- Published: May 18, 2025, 5:59 a.m.
- Modified: May 21, 2025, 9:50 p.m.
Indicators
- 91.237.124.164
- 91.237.124.153
- 45.138.87.250
- 111.90.151.167
- 185.195.237.106
- skiff.com
- terembg.com
- victim.org
- global-world-news.net
- ceriossl.info
- tgh24.xyz
- raxia.top
- jiaw.shop
- ikses.net
- hijx.xyz
- hfuu.de
Attack Patterns
- SpyPress.ZIMBRA
- SpyPress.ROUNDCUBE
- SpyPress.HORDE
- SpyPress.MDAEMON
- APT28
Additional Informations
- Aerospace
- Defense
- Transportation
- Government
- lsjb.digital
- Cameroon
- Greece
- Cyprus
- Bulgaria
- Serbia
- Romania
- Ecuador
- Ukraine