MalwareUsed by 2 actorsExploits 6 CVEs

SpyPress

SpyPress is an obfuscated JavaScript payload used in the Russia-linked Operation RoundPress webmail espionage campaign, which ESET attributed with medium confidence to APT28 (Fancy Bear/Sednit/GRU Unit 26165). The malware is delivered through crafted emails that exploit cross-site scripting vulnerabilities in webmail platforms including Roundcube, Horde, MDaemon, Zimbra, and related variants. Successful exploitation requires the victim to open the malicious email in a vulnerable webmail portal, after which SpyPress executes in the browser context of the authenticated session. Its documented capabilities include theft of webmail credentials, harvesting of email messages and contact information, and exfiltration of stolen data via HTTP POST to a hard-coded command-and-control server. Some variants also captured login history and two-factor authentication codes; Roundcube-specific variants could create Sieve forwarding rules to send copies of incoming mail to an attacker-controlled address, and MDaemon-focused variants could create an application password to retain mailbox access. SpyPress generally did not include a standalone persistence mechanism, but it would execute again whenever the booby-trapped email was reopened. Reported targeting focused primarily on governmental entities and defense companies, especially in Eastern Europe and Ukraine, with additional targets in Europe, Africa, and South America. Supporting reporting also notes strong TTP overlap between SpyPress and the later Roundish toolkit, including webmail credential theft, mailbox exfiltration, contact theft, Sieve-rule persistence, and 2FA-related collection.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

6 CVES

CVE-2024-11182XSS in MDaemon Email Server WebmailExploited in the wild

"Assigned the CVE identifier CVE-2024-11182 (CVSS score: 5.3), it was patched in version 24.5.1 last November." | Successful exploitation leads to the execution of an obfuscated JavaScript payload named SpyPress that comes with the ability to steal webmail credentials and harvest email messages and contact information from the victim's mailbox.

via the hacker newsthehackernews.com

CVE-2023-43770XSS in Roundcube text/plain message link handlingExploited in the wild

Successful exploitation leads to the execution of an obfuscated JavaScript payload named SpyPress that comes with the ability to steal webmail credentials and harvest email messages and contact information from the victim's mailbox. | "It's worth noting that CVE-2023-43770 was added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog in February 2024."

via the hacker newsthehackernews.com

CVE-2024-27443Stored XSS in Zimbra Collaboration CalendarInvite classic webmailExploited in the wild

"...Roundcube (CVE-2023-43770), and Zimbra (CVE-2024-27443) leveraged security defects already known and patched..." | Successful exploitation leads to the execution of an obfuscated JavaScript payload named SpyPress that comes with the ability to steal webmail credentials and harvest email messages and contact information from the victim's mailbox.

via the hacker newsthehackernews.com

CVE-2020-12641Command Injection in Roundcube rcube_image.php

via the hacker newsthehackernews.com

CVE-2020-35730Stored XSS in Roundcube Webmail linkref_addindex

via the hacker newsthehackernews.com

CVE-2021-44026SQL injection in Roundcube search/search_params

via the hacker newsthehackernews.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

The payload family is tracked as SpyPress, with one variant per webmail platform (Roundcube, Horde, MDaemon, Zimbra).

via sekoia blogblog.sekoia.io

APT29

We identified 14 TTP overlaps between the Roundish toolkit and ESET's documented Operation RoundPress campaign... Its presence in both SpyPress and Roundish strongly suggests a shared developer or development playbook.

via huntio bloghunt.io

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1595Active ScanningEvidence1

"The operator's bash history shows direct reconnaissance with curl mail.dmsu.gov.ua" and "RustScan was used for port scanning reconnaissance."

Initial Access

2 techniques

T1190Exploit Public-Facing ApplicationEvidence1

A spear-phishing email triggers a cross-site scripting vulnerability in the victim's webmail client. JavaScript runs in the context of the mailbox and exfiltrates contents to attacker infrastructure.

T1566PhishingEvidence1

Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage.

Execution

1 technique

T1059.007JavaScriptEvidence1

Operation RoundPress - Webmail XSS ... Weaponized XSS flaws in widely-deployed webmail platforms to inject SpyPress and silently exfiltrate inboxes, contacts, and credentials

Exfiltration

2 techniques

T1041Exfiltration Over C2 ChannelEvidence1

X-Tunnel for exfiltration

T1567Exfiltration Over Web ServiceEvidence1

Stolen credentials are exfiltrated to free HTTP webhook services such as Pipedream and Webhook, used as disposable collection endpoints.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

sekoia blogNews

Jun 11, 2026

APT28, an evolution of tradecraft - Sekoia.io Blog

A payload family used in webmail XSS operations to exfiltrate mailbox contents, contacts, and credentials, with platform-specific variants.

huntio blogNews

Mar 11, 2026

Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine

A webmail-focused XSS toolkit (documented by ESET in Operation RoundPress) used for credential theft (including hidden-form autofill capture), mail-forwarding rule creation for persistence, and MFA bypass via TOTP secret/app-password exfiltration; referenced here as the closest prior public analogue to Roundish.

the hacker newsNews

May 15, 2025

Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Obfuscated JavaScript payload delivered via XSS in webmail clients; steals webmail credentials and exfiltrates mailbox data (emails, contacts). Some variants can capture login history and 2FA codes, create an application password in MDaemon for continued access, and (SpyPress.ROUNDCUBE) create Roundcube Sieve rules to auto-forward incoming mail to an attacker-controlled address. Exfiltrates data via HTTP POST to a hard-coded C2. Lacks native persistence but is reloaded when the malicious email is opened; Sieve-rule capability provides durable collection.

malpediaNews

Feb 1, 2026

APT28 (Threat Actor)

Operation RoundPress SpyPress

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities6

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.