The Russia-linked hacking group APT28 was recently observed exploiting cross-site scripting (XSS) vulnerabilities to target webmail servers used by state entities and defense companies in Eastern Europe, according to a new report.

The group, also tracked as Fancy Bear and BlueDelta, mainly targeted entities in Ukraine, Bulgaria and Romania, but governments in Africa, South America and other parts of Europe were also affected, Slovak-based cybersecurity firm ESET said in a report published Thursday.

The campaign typically involved a phishing email that contained news excerpts or links to articles — in one case, a Ukrainian target received an email referencing the Kyiv Post, a well-known newspaper in the country. Malicious code triggering an XSS vulnerability was hidden inside the message’s body, and was not directly visible to the user, the researchers said.

The payloads loaded by the XSS vulnerabilities allowed attackers to steal login credentials, exfiltrate contacts and access email communications from the victim's inbox. Some of the defense companies targeted produce Soviet-era weapons for Ukraine amid its ongoing conflict with Russia. APT28 has been operating since at least 2004 and is believed to be tied to Russia’s military intelligence agency (GRU).

Over the past two years, webmail services like Roundcube and Zimbra have been heavily targeted by multiple espionage groups, including APT28, GreenCube and Winter Vivern. 

In 2023, Winter Vivern — a state-sponsored hacker group previously implicated in cyberattacks on the governments of Poland, Ukraine and India — exploited a zero-day vulnerability in Roundcube webmail software used by governments across Europe.

That same year, APT28 targeted the Ukrainian government and a company involved in military aviation through three different vulnerabilities in Roundcube’s service. The campaign used news about Russia’s invasion of Ukraine to entice victims into opening malicious emails.

“Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft,” ESET researchers said.