FancyBear Left Their Own Server Open — And Defenders Downloaded the Whole Thing

CybrPulse

CybrPulse

3 min read
FancyBear Left Their Own Server Open — And Defenders Downloaded the Whole Thing

APT28 is supposed to be one of Russia's best. The GRU-linked group behind SolarWinds attribution debates and a decade of European espionage. Yet for roughly 500 days — from mid-2024 into early 2026 — they ran an active C2 server with open HTTP directories, staged payloads sitting out in the open, and exfiltrated data anyone could download.

Researchers at Ctrl-Alt-Intel did exactly that.

What Was on the Server

The exposed infrastructure was tied to IP address 203.161.50[.]145, hosted on Namecheap. CERT-UA had already flagged this IP in late 2024 advisories. Hunt.io documented open directories on port 8889 between January and March 2026. Despite all of that public attention, FancyBear kept operating from the same server.

What the open directory contained:

  • 2,800+ exfiltrated emails from government and military mailboxes
  • 240+ credential sets, including TOTP 2FA secrets
  • 140 persistent email forwarding rules silently redirecting victim inboxes to attacker-controlled ProtonMail accounts
  • 11,500+ harvested contact addresses
  • The full attack toolkit, including C2 source code and JavaScript payloads

The victims span Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia — regional Ukrainian prosecutors, the Romanian Air Force, Greece's National Defence General Staff. Every one of these is a NATO member or a country actively supporting Ukraine's defense.

How the Attack Works

FancyBear's toolkit here is webmail exploitation. The payloads target Roundcube and, in a newly documented variant, SquirrelMail — both still widely deployed by government agencies who haven't migrated to modern platforms.

The JavaScript payload family ("worker.js") executes in the victim's browser after XSS delivery. Once in:

  1. Identifies the logged-in user
  2. Steals credentials through hidden auto-fill forms
  3. Bulk-exfiltrates the entire Inbox and Sent folder as .eml files
  4. Loads modular scripts for address book theft and TOTP extraction

That last module — `keyTwoAuth.js` — is the one that should make every CISO pause. It targets the `twofactor_gauthenticator` plugin in Roundcube, pulls the TOTP seed and recovery codes directly from the 2FA settings page, and exfiltrates them base64-encoded. C2 logs show hundreds of successful TOTP extractions. Not bypass attempts — *successes*.

Once you have the TOTP seed, you don't need to intercept OTP codes in transit. You generate them yourself, indefinitely.

A separate module, `addRedirectMailBox.js`, abuses Roundcube's ManageSieve integration to create a persistent forwarding rule. Even after the initial compromise is cleaned up, every new email silently copies to an attacker account. The forwarding rule survives a password reset.

The Phishing Chain

Initial access came via spear-phishing with a ClickFix / fake reCAPTCHA delivery chain. The phishing links used typosquatted Google Docs domains:

```

docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com

```

This domain served John Hammond's public reCAPTCHA phishing POC, modified to deliver Metasploit payloads pointing back to 203.161.50[.]145.

What Defenders Can Do Right Now

If you're running Roundcube or SquirrelMail, treat this as an active threat, not a theoretical one:

  • Audit for unexpected Sieve forwarding rules. Check every mailbox.
  • Disable or remove the `twofactor_gauthenticator` plugin if you don't actively manage its security posture.
  • Restrict ManageSieve access where possible.
  • Search outbound connections and DNS for `zhblz[.]com` and connections to 203.161.50[.]145.
  • Look for `worker.js` or obfuscated JavaScript in browser extension/plugin logs.

On TOTP and 2FA assumptions: This campaign is a reminder that 2FA is not a guarantee. TOTP seeds are stored somewhere — often in a plugin, a database, a QR code backup. If an attacker gets persistent access to the authentication configuration of the account, they own the second factor too. Hardware keys (FIDO2/WebAuthn) don't have this problem. TOTP does.

On threat actor "sophistication": APT28 maintained this server for 500 days after CERT-UA publicly burned the IP. That's not sophistication — that's institutional inertia. Large threat groups reuse infrastructure because rotating it is operationally costly. Don't assume a burned IOC is a dead IOC. Keep hunting on known indicators even months after initial disclosure.

IOCs

  • C2 IP: 203.161.50[.]145
  • Phishing domain: zhblz[.]com
  • Malicious modules: `worker.js`, `keyTwoAuth.js`, `addRedirectMailBox.js`

*CybrPulse tracked this story across CERT-UA, Hunt.io, and Ctrl-Alt-Intel reporting. The full toolkit analysis is available in Hunt.io's Operation Roundish documentation.*

Read more