{
	"id": "5c8a4b9e-0d71-42e6-ba0a-f10e28bdf518",
	"created_at": "2026-04-06T00:07:38.905311Z",
	"updated_at": "2026-04-10T03:30:21.362496Z",
	"deleted_at": null,
	"sha1_hash": "8eb2b4fcd9c1fc2559215f233dfa1fb2df2af5af",
	"title": "Russian Hackers Breached 80+ Organizations Using Roundcube XSS Flaw",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 685743,
	"plain_text": "Russian Hackers Breached 80+ Organizations Using Roundcube\r\nXSS Flaw\r\nBy Eswar\r\nPublished: 2024-02-20 · Archived: 2026-04-05 15:11:07 UTC\r\nThe Russia-based threat group TAG-70 has been discovered to be exploiting Roundcube webmail servers with a\r\nrecently disclosed Cross-Site Scripting vulnerability CVE-2023-5631.\r\nTheir targets include government, military, and national infrastructure-related entities. This threat actor overlaps\r\nwith Winter Vivern, TA473, and UAC-0114 threat group.\r\nHowever, this Roundcube targeting campaign has been conducted since October 2023, attacking over 80\r\norganizations, primarily in Georgia, Poland, and Ukraine.\r\nLive Account Takeover Attack Simulation\r\nHow do Hackers Bypass 2FA?\r\nLive attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to\r\nprotect your websites and APIs against ATO attacks .\r\nMoreover, this is the only recent campaign from the Russia-aligned threat groups targeting email servers.\r\nhttps://cybersecuritynews.com/russian-hackers-xss-flaw/\r\nPage 1 of 4\n\nRoundcube Exploitation Attack Flow (Source: Recorded Future)\r\nAs part of the ongoing war between Ukraine and Russia, several Russia-based cyber-espionage groups were\r\nattacking governmental entities in Europe as a means of gathering intelligence about the war effort and planning,\r\nrelationships and negotiations, military and economic assistance, and other information that could help in fighting\r\nthe war.\r\nAccording to the reports shared with Cyber Security News, TAG-70 has previously created a spoofed website of\r\nthe MInistry of Foreign Affairs of Ukraine for luring users to download a malicious software under the\r\nimpersonation of “scanning infected PCs for viruses”. \r\nIn March 2023, TAG-70 was attributed to the exploitation of the Zimbra webmail portal via CVE-2022-27926 to\r\ngain access to the emails of military, government, and diplomatic European organizations that are involved in the\r\nRussia-Ukraine war.\r\nConsidering the sophistication and attack vectors of this threat actor indicates a well-funded and skilled threat\r\nactor behind these operations. \r\nTAG-70 Operation in March 2023 (Source: Recorded Future)\r\nhttps://cybersecuritynews.com/russian-hackers-xss-flaw/\r\nPage 2 of 4\n\nHowever, their recent XSS zero-day exploitation of Roundcube webmail servers was investigated, revealing that\r\nthe threat actors were using this vulnerability to list and exfiltrate victims’ mailbox contents without any\r\ninteraction from the victim except by opening the malicious email.\r\nThreat Analysis\r\nIn February 2023, suspicious activity was discovered, which involved a C2 IP address 198.50.170[.]72 over TCP\r\nport 7662.\r\nHowever, this IP was later attributed to the domain bugiplaysec[.]com, owned by TAG-70. This domain was found\r\nto communicate with a victim IP address over port 443.\r\nAdditionally, a similar activity was found between an IP address associated with the Embassy of the Republic of\r\nUzbekistan in Ukraine.\r\nThis IP address was communicating with another C2 domain ocsp-reloads[.]com resolving to 38.180.2[.]23. In\r\nboth of the scenarios, TAG-70 administered the C2 domains via Tor.\r\nGeographic spread of victims of TAG-70s Roundcube exploit (Source: Recorded Future)\r\nAs of this recent Roundcube webmail server exploitation campaign, TAG-70 used an infrastructure configuration\r\nwith a domain recsecas[.]com and C2 38.180.76.[.]31 tunneling to another C2 administered via Tor. \r\nTAG-70 Operational Infrastructure in October 2023 (Source: Recorded Future)\r\nIndicators Of Compromise\r\nDomains:\r\nhttps://cybersecuritynews.com/russian-hackers-xss-flaw/\r\nPage 3 of 4\n\nbugiplaysec[.]com\r\nhitsbitsx[.]com\r\nocsp-reloads[.]com\r\nrecsecas[.]com\r\nIP Addresses:\r\n38.180.2[.]23\r\n38.180.3[.]57\r\n38.180.76[.]31\r\n86.105.18[.]113\r\n176.97.66[.]57\r\n176.97.76[.]118\r\n176.97.76[.]129\r\n198.50.170[.]72\r\nMalware Samples (SHA256):\r\n6800357ec3092c56aab17720897c29bb389f70cb49223b289ea5365314199a26\r\nea22b3e9ecdfd06fae74483deb9ef0245aefdc72f99120ae6525c0eaf37de32e\r\nStay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn \u0026 Twitter.\r\nSource: https://cybersecuritynews.com/russian-hackers-xss-flaw/\r\nhttps://cybersecuritynews.com/russian-hackers-xss-flaw/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cybersecuritynews.com/russian-hackers-xss-flaw/"
	],
	"report_names": [
		"russian-hackers-xss-flaw"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8eb2b4fcd9c1fc2559215f233dfa1fb2df2af5af.pdf",
		"text": "https://archive.orkl.eu/8eb2b4fcd9c1fc2559215f233dfa1fb2df2af5af.txt",
		"img": "https://archive.orkl.eu/8eb2b4fcd9c1fc2559215f233dfa1fb2df2af5af.jpg"
	}
}