Operation RoundPress targeting high-value webmail servers
Essential information
- Published
- 18/05/2025 05:59
- Modified
- 21/05/2025 21:50
- Tags
- 2025-05-15 2025-05-18 CVE-2023-43770 CVE-2024-11182 CVE-2024-27443 credential-theft data exfiltration eastern europe espionage russia spearphishing spypress.horde spypress.mdaemon spypress.roundcube spypress.zimbra webmail xss zero-day
- Related entities
- 4 vulnerabilities (cve), 16 observables, 1 intrusion sets (apt), 4 malware, 13 others
Description
ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023, the operation expanded to include Horde, MDaemon, and Zimbra in 2024. The attackers exploit various vulnerabilities, including a zero-day in MDaemon, to inject malicious JavaScript code into victims' webmail pages. Targets include governmental entities and defense companies in Eastern Europe, with some victims in Africa, Europe, and South America. The malware, known as SpyPress, can steal webmail credentials, exfiltrate contacts and email messages, and in some cases, bypass two-factor authentication.