As the war in Ukraine drags into its fourth year, Russian cyber operations continue to evolve. Security researchers at ESET have uncovered a sophisticated new espionage campaign dubbed Operation RoundPress, attributed to Sednit Cyber Campaign, a Russian state-aligned APT group also known as APT28 or Fancy Bear.
This latest campaign doesn’t rely on typical endpoint attacks or cloud compromises. Instead, it exploits cross-site scripting (XSS) vulnerabilities in popular webmail platforms to infiltrate high-value targets, including Ukrainian government organizations, defense companies in Bulgaria and Romania, and even government entities in Africa, South America, and the EU.
ESET researchers linked the campaign to Sednit with medium confidence, noting its stealthy focus on webmail systems over traditional infrastructure. Sednit has previously been tied to Russia’s GRU and gained global attention for its role in the 2016 Democratic National Committee hack.
How Operation RoundPress Sednit Cyber Campaign Works
The Operation RoundPress Sednit cyber campaign primarily targets vulnerable webmail platforms using XSS exploits. ESET tracked the activity back to 2023, with initial attacks leveraging Roundcube vulnerability CVE-2020-35730. The group later expanded its arsenal to include newer vulnerabilities in Roundcube (CVE-2023-43770), MDaemon (CVE-2024-11182), Zimbra (CVE-2024-27443), and even an unpatched flaw in Horde.
Attackers use spear-phishing emails disguised as newsletters—some even impersonate Ukrainian media outlets like Kyiv Post. These emails contain hidden JavaScript payloads embedded in the HTML. Once the email is opened in a vulnerable webmail client, the script runs inside the victim’s browser, granting the attackers access to emails, login credentials, contact lists, and any attachments stored in the inbox.
ESET’s Matthieu Faou, who led the investigation, emphasized that while the attack is confined to the browser tab and doesn’t compromise the full system, the damage can be significant. “Email accounts often contain sensitive, strategic information. And once the email is opened, the victim can’t really avoid the attack—it executes immediately,” Faou said.
Patches are now available for all the exploited vulnerabilities, including the MDaemon zero-day, which was patched in November 2024. ESET urges organizations to apply updates immediately, especially if they use any of the affected webmail platforms.
Russia Shifts Toward Espionage in Cyber Warfare
According to ESET’s latest APT Activity Report (covering October 2024 to March 2025), Operation RoundPress highlights a broader trend: Russia’s pivot from destructive attacks to strategic cyber espionage. While early in the war Moscow-backed groups like Sandworm conducted highly disruptive campaigns against Ukrainian infrastructure, recent activity has shifted toward intelligence gathering.
Faou notes that groups like Gamaredon now dominate the threat landscape in Ukraine with persistent, high-volume espionage attacks against government targets. Yet destructive capabilities haven’t disappeared. Sandworm was still observed targeting Ukrainian energy firms in late 2024.
Tony Adams, senior researcher at Sophos, suggests this evolution is partly due to Ukraine’s improved cyber defenses, but warns against complacency. “Russia is playing a long game,” he said. “These groups are likely establishing long-term access in critical systems for use in future operations.”
