APT28 Reuses Old Access and Roundcube Exploits Against Ukrainian Institutions
Ukrainian officials warned that Russia-linked hackers are revisiting earlier compromises to regain access to government and defense networks, testing whether old footholds, unpatched vulnerabilities, and previously stolen credentials still work. CERT-UA said the activity reflects a broader shift from smash-and-grab credential theft toward persistent access, with initial intrusion methods also evolving beyond phishing to more tailored social engineering, including phone calls and video chats in fluent Ukrainian before malicious files are delivered through messaging apps. Agencies tied the activity to groups including APT28 and Void Blizzard, with the security and defense sector remaining the top target because disruptions there could affect the war effort.
Ukraine also confirmed a long-running cyber-espionage campaign, tracked since 2023 and attributed by Western researchers to APT28 (Fancy Bear, BlueDelta, Forest Blizzard), that targeted prosecutors, anti-corruption bodies, and other local government entities through Roundcube webmail vulnerabilities enabling code execution when a victim opened an email. Reuters reported that more than 170 email accounts belonging to prosecutors and investigators were compromised in recent months, and CERT-UA identified three waves of related attacks. Officials said some allegedly stolen material was later published online, though reviews indicated the leaks likely did not include confidential data, and warned the operation could still be used to fuel disinformation aimed at eroding trust in Ukrainian institutions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Ukraine confirms suspected APT28 campaign targeting prosecutors
Ukrainian officials publicly confirmed the long-running campaign targeting prosecutors, anti-corruption bodies, and other agencies, and said affected organizations were reviewing possible impact. The activity was described as likely useful for future Russian disinformation efforts, while some organizations said they had not found evidence of internal-system compromise or data theft.
Three waves of Roundcube attacks hit Ukrainian prosecutors and agencies
CERT-UA identified three waves of attacks exploiting Roundcube webmail flaws to execute malicious code when victims opened emails. Reuters reported that more than 170 email accounts belonging to Ukrainian prosecutors and investigators were compromised in recent months.
Ukraine warns Russia is revisiting old breaches for new attacks
CERT-UA warned that Russian hackers were attempting to regain access to systems they had previously compromised by testing whether old footholds, unpatched vulnerabilities, and stolen credentials still worked. The agency said groups including APT28 and Void Blizzard had used these methods against Ukraine's armed forces and government institutions.
Some allegedly stolen information is published online
Ukrainian officials said material allegedly stolen in the campaign was published online in March. They assessed that the leaked information likely did not include confidential data, but warned it could be used for disinformation purposes.
CERT-UA observes fewer cyber incidents in second half of 2025
Ukraine's CERT-UA reported a decline in the total number of cyber incidents during the second half of 2025. Despite the drop, the security and defense sector remained the primary target because compromises there could affect the war effort.
Russian hackers shift toward maintaining persistent access in Ukraine
CERT-UA said that during 2025, Russian intrusion activity increasingly focused on preserving and reusing access from earlier compromises rather than only stealing credentials quickly. The agency also observed initial access tactics evolving from traditional phishing to social engineering via phone calls, video chats, and malicious files sent through messaging apps.
CERT-UA links APT28 to Roundcube exploits in espionage campaign
CERT-UA published an alert describing an espionage campaign in which APT28 used three Roundcube vulnerabilities—CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641. The disclosure provided early technical attribution and exploit details for activity targeting Ukrainian entities.
Ukraine begins tracking espionage campaign against prosecutors and agencies
Ukrainian officials said they have been tracking a cyber-espionage campaign targeting local government and law-enforcement-related entities since 2023. The activity was later linked by Western researchers to exploitation of Roundcube webmail vulnerabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Ukraine confirms suspected APT28 campaign targeting prosecutors, anti-corruption agencies | The Record from Recorded Future News
therecord.media
Open sourceUkraine warns Russian hackers are revisiting past breaches to prepare new attacks | The Record from Recorded Future News
therecord.media
Open sourceAPT28 group used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during another espionage campaign (CERT-UA#6805)
csirt.csi.cip.gov.ua
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Exploits Zimbra XSS Flaw to Breach Ukrainian Government Webmail
**APT28**, the Russia-linked threat group associated with the GRU, used a phishing campaign dubbed *Operation GhostMail* to target Ukrainian government entities by exploiting **Zimbra Collaboration Suite** vulnerability `CVE-2025-66376`. The campaign targeted the **State Hydrographic Service of Ukraine**, a critical infrastructure body supporting maritime navigation and hydrographic operations. The attack used a single email written in Ukrainian and disguised as a routine internship inquiry; instead of relying on attachments or links, the malicious payload was embedded directly in the HTML body and executed when opened in a vulnerable Zimbra webmail session. Researchers said the stored XSS flaw allowed attackers to run obfuscated JavaScript in the victim’s browser, enabling theft of login credentials, session tokens, backup two-factor authentication codes, browser-stored passwords, and up to 90 days of mailbox data. Reporting also notes the flaw was patched in November and later added by **CISA** to its **Known Exploited Vulnerabilities** catalog, with U.S. federal civilian agencies ordered to remediate within two weeks under `BOD 22-01`. The operation stood out for abusing a trusted webmail environment to hijack authenticated sessions without deploying traditional malware, helping the intrusion evade many standard phishing and endpoint defenses.
Mar 21, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026
APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the **BadPaw** loader and the **MeowMeow** backdoor. The infection chain begins with a lure email (sent from `ukr[.]net` to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks. The activity was attributed with **moderate confidence** to **APT28** based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including **SHADOWSNIFF**, **SALATSTEALER**, and a Go backdoor **DEAFTICKK** attributed to **UAC-0252**), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
Mar 21, 2026