{"id":1095,"date":"2025-05-15T22:14:39","date_gmt":"2025-05-15T19:14:39","guid":{"rendered":"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/"},"modified":"2025-05-15T22:14:39","modified_gmt":"2025-05-15T19:14:39","slug":"government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/","title":{"rendered":"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation"},"content":{"rendered":"<p>Hackers are conducting an extensive cyber-espionage operation identified as &#8216;RoundPress&#8217;, utilizing both zero-day and n-day vulnerabilities present in webmail servers to infiltrate and extract email data from high-profile governmental institutions. <\/p>\n<p>Research conducted by ESET associates the campaign with moderate confidence to Russian state-sponsored hacker group APT28, also known as &#8220;Fancy Bear&#8221; or &#8220;Sednit.&#8221; This campaign began in 2023 and has progressed, employing new exploitation techniques throughout 2024, targeting webmail platforms including Roundcube, Horde, MDaemon, and Zimbra.<\/p>\n<p>Prominent targets of this campaign encompass government entities in Greece, Ukraine, Serbia, and Cameroon, as well as military units in Ukraine and Ecuador, defense contractors situated in Ukraine, Bulgaria, and Romania, and critical infrastructure facilities within Ukraine and Bulgaria.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation-1.webp\" alt=\"RoundPress targets\"><\/p>\n<h3>Mechanism of Attack<\/h3>\n<p>The attack vector initiates with a spear-phishing email that often references relevant news or political occurrences, enhancing its credibility by including segments from reputable news sources. <\/p>\n<p>An embedded malicious JavaScript payload within the HTML content of the email exploits a cross-site scripting (XSS) vulnerability in the victim&#8217;s webmail interface. Merely opening the email is sufficient for the malicious script to execute, with no additional interaction required from the recipient.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation-2.webp\" alt=\"Attack chain overview\"><\/p>\n<p>This payload lacks persistent mechanisms and is designed to execute solely upon the email&#8217;s opening. The script generates invisible input fields engineered to deceive web browsers or password managers into automatically populating stored credentials related to the victim&#8217;s email accounts.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation-3.webp\" alt=\"Credential stealer function\"><\/p>\n<p>Furthermore, the script accesses the Document Object Model (DOM) or dispatches HTTP requests to extract various types of information, including email content, contact details, webmail settings, login history, two-factor authentication data, and passwords. Exfiltrated data is sent to hardcoded command-and-control (C2) servers through HTTP POST requests.<\/p>\n<p>Scripts differ slightly in their capabilities, tailored to exploit the specific webmail product being targeted.<\/p>\n<h3>Identified Vulnerabilities<\/h3>\n<p>Operation RoundPress has focused on multiple XSS vulnerabilities found within various webmail applications widely utilized by significant organizations. The exploitation tactics associated with this campaign involve the following vulnerabilities:<\/p>\n<p>&#8211; <strong>Roundcube \u2013 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-roundcube-email-server-bug-now-exploited-in-attacks\/\">CVE-2020-35730<\/a><\/strong>: A stored XSS vulnerability that allowed attackers to inject JavaScript directly into an email&#8217;s body in 2023. The script executed within the context of the user&#8217;s browser-based session, permitting the theft of credentials and other data.<\/p>\n<p>&#8211; <strong>Roundcube \u2013 PLACEHOLDER<em>abb48c1f7ccabb32<\/strong>: In early 2024, hackers exploited a flaw involving improper hyperlink text sanitization, enabling them to inject PLACEHOLDER<\/em>f78c36d1fa233f49 tags into email content, which executed upon viewing.<\/p>\n<p>&#8211; <strong>MDaemon \u2013 CVE-2024-11182<\/strong>: A zero-day XSS vulnerability in the HTML parser of the MDaemon Email Server, exploited in late 2024 by crafting a malformed title attribute that initiated a hidden <code><img onerror><\/code> payload, executing JavaScript for credential theft and two-factor authentication bypass.<\/p>\n<p>&#8211; <strong>Horde \u2013 Unknown XSS<\/strong>: APT28 attempted to exploit an outdated XSS vulnerability within Horde through an <code><img onerror><\/code> handler; however, this effort did not succeed, likely due to effective filtering in current Horde versions. The specific vulnerability remains unidentified but appears to have been resolved.<\/p>\n<p>&#8211; <strong>Zimbra \u2013 CVE-2024-27443<\/strong>: An XSS vulnerability in Zimbra&#8217;s handling of calendar invites, previously unreported as actively exploited. Unsanitized input from the <code>X-Zimbra-Calendar-Intended-For<\/code> header permitted JavaScript injection into the calendar interface. APT28 incorporated a concealed script that decoded and executed base64 JavaScript when the invite was accessed.<\/p>\n<p>Although ESET has not detected any recent RoundPress activities in 2025, the methodology employed by these attackers remains easily adaptable to current and future exploits, particularly given the continuous emergence of new XSS vulnerabilities in widely utilized webmail products.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers are conducting an extensive cyber-espionage operation identified as &#8216;RoundPress&#8217;, utilizing both zero-day and n-day vulnerabilities present in webmail servers&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1096,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[330,77,329],"class_list":["post-1095","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-javascript","tag-phishing","tag-webmail"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation\" \/>\n<meta property=\"og:description\" content=\"Hackers are conducting an extensive cyber-espionage operation identified as &#8216;RoundPress&#8217;, utilizing both zero-day and n-day vulnerabilities present in webmail servers...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-15T19:14:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation-1.webp\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u062f\u0642\u0627\u0626\u0642\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/\",\"url\":\"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/\",\"name\":\"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation.webp\",\"datePublished\":\"2025-05-15T19:14:39+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation.webp\",\"width\":1792,\"height\":1024,\"caption\":\"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation[:] - Trustcrypt","og_description":"Hackers are conducting an extensive cyber-espionage operation identified as &#8216;RoundPress&#8217;, utilizing both zero-day and n-day vulnerabilities present in webmail servers...","og_url":"https:\/\/trustcrypt.com\/ar\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/","og_site_name":"Trustcrypt","article_published_time":"2025-05-15T19:14:39+00:00","og_image":[{"url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation-1.webp","type":"","width":"","height":""}],"author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"3 \u062f\u0642\u0627\u0626\u0642"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/","url":"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/","name":"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation.webp","datePublished":"2025-05-15T19:14:39+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/government-webmail-compromised-through-xss-vulnerabilities-in-coordinated-global-espionage-operation.webp","width":1792,"height":1024,"caption":"Government Webmail Compromised Through XSS Vulnerabilities in Coordinated Global Espionage Operation"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1095","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=1095"}],"version-history":[{"count":0,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1095\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/1096"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=1095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=1095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=1095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}