FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops

Ctrl-Alt-Intel analyzed an exposed open-directory tied to FancyBear/APT28 that revealed C2 source code, XSS payloads targeting Roundcube and SquirrelMail, modular JS for credential/TOTP/address-book theft, and server telemetry showing large-scale exfiltration and persistent access. The campaign compromised government and military email accounts across Ukraine and several Balkan/Eastern European states (including NATO-related addresses), stole credentials and TOTP secrets, exfiltrated mail and address books, and created persistent Sieve forwarding rules—demonstrating a high-impact nation-state espionage operation with extensive IOCs and detailed TTPs.