Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine

Operation Roundish: Hunt.io discovered an exposed open directory on 203.161.50.145 containing a 52 MB Roundcube exploitation toolkit linked to APT28 that enables hidden-autofill credential harvesting, persistent Sieve mail forwarding to [email protected], bulk mailbox and address-book exfiltration, TOTP extraction, a CSS side-channel extractor, browser credential theft (Chrome/Firefox), and a Go-based Linux implant (httd); infrastructure and operator artifacts indicate targeting of mail.dmsu.gov.ua and other compromised hosts (zhblz.com, a.zhblz.com, 130.61.233.105, blog.pentagonteam.com) and provide actionable IOCs and detection recommendations.