Operation RoundPress: APT28 Exploits Webmail XSS Flaws to Target Government Entities
ESET has uncovered a cyber espionage campaign, Operation RoundPress, attributed with medium confidence to APT28—a Russia-linked threat actor known for targeting governments and defense sectors. Since 2023, the operation has focused on exploiting cross-site scripting (XSS) vulnerabilities in webmail platforms, including Roundcube, Horde, MDaemon, and Zimbra. The campaign has targeted government and defense organizations in Eastern Europe, including Ukraine, Bulgaria, Romania, and other countries across Africa, Europe, and South America. The attackers aim to steal email credentials and access sensitive communications by embedding malicious JavaScript in spear-phishing emails, which execute within the victim’s browser if the email is opened in a vulnerable webmail interface. These exploits include both patched vulnerabilities—like CVE-2023-43770 in Roundcube and CVE-2024-27443 in Zimbra—as well as a zero-day in MDaemon (CVE-2024-11182), which was patched in November 2024. The attack relies on users interacting with emails that appear benign, though the HTML body of the message contains the actual XSS payload. When triggered, the JavaScript code loads a script called SpyPress, which captures email credentials, contact lists, and message content. The payload does not establish persistence but activates every time the infected email is opened, allowing repeated access to the victim’s mailbox. The campaign shows continued interest by Russian intelligence-aligned groups in webmail exploitation as a means of gaining access to government communications, particularly among countries supporting Ukraine. Infrastructure overlap, reused email delivery methods, and coding similarities link these activities to known APT28 operations. Organizations using outdated or unpatched webmail solutions remain vulnerable to low-interaction, high-impact espionage campaigns as this threat actor adapts its methods.
DarkCloud Stealer Resurfaces with AutoIt-Based Payloads and Targeted Data Theft
Unit 42 researchers at Palo Alto Networks have observed a resurgence of DarkCloud Stealer in early 2025, with updated variants leveraging AutoIt scripts and layered payloads to enhance evasion and expand data theft capabilities. The malware is distributed via phishing emails containing deceptive RAR archives or PDF files that redirect users to download malicious content hosted on file-sharing platforms. Inside the archive is an AutoIt-compiled PE file that functions as the initial dropper, executing encrypted and XOR-obfuscated shellcode to bypass static detection. DarkCloud’s infection chain uses Windows API calls like VirtualProtect() and CallWindowProc() to load and execute the final payload in memory. These techniques, combined with obfuscation and anti-analysis checks, indicate a high degree of sophistication aimed at delaying detection and analysis. Once active, DarkCloud harvests browser-stored credentials, email account data, FTP and SMTP credentials, and credit card details from affected systems. It targets Chrome, Gecko-based browsers, and desktop email clients, while maintaining persistence through the Windows RunOnce registry key. The malware includes checks for security tools like Wireshark and WinDbg, avoiding execution if such tools are detected, and relies on public IP geolocation services to inform its command-and-control behavior. Recent attacks have primarily focused on government, financial, and high-tech sectors across the United States, Brazil, and Peru. Analysts noted a spike in activity through late January and early February 2025, signaling active and ongoing campaigns. Palo Alto Networks has updated detection capabilities within its Cortex XDR and WildFire platforms. Still, the campaign highlights the importance of layered security controls, phishing awareness, and behavioral threat detection to defend against advanced stealers like DarkCloud.
Chihuahua Stealer Abuses Cloud Storage and Multi-Stage Payloads for Covert Data Theft
Chihuahua Stealer is a recently discovered [.]NET-based infostealer that uses deceptive cloud-hosted documents and layered payloads to infiltrate Windows systems and exfiltrate sensitive information. The infection chain begins when a victim downloads a seemingly legitimate file from Google Drive or OneDrive containing an embedded PowerShell script. This script, encoded in Base64 and executed via the iex command, silently bypasses execution policy and launches a compact loader that fetches follow-up payloads from hardcoded fallback domains. Persistence is maintained using scheduled tasks and custom marker files in the user's Recent directory, while additional instructions and modules are pulled dynamically from attacker-controlled infrastructure. The script is heavily obfuscated using hex strings, which makes it more difficult for static detection tools to recognize its functionality. Domains like cdn.findfakesnake[.]xyz are used to host these payloads, with the malware displaying modular behavior and conditional logic depending on system state and network reachability. Once fully deployed, Chihuahua Stealer focuses on harvesting browser-stored data, including saved login credentials, session cookies, browsing history, and data from installed crypto wallet extensions. The collected information is then encrypted using AES-GCM via Windows CNG APIs and archived into a file with a [.]chihuahua extension. This archive is transmitted over HTTPS to avoid detection and blend in with regular traffic. The malware also removes its digital footprint by clearing PowerShell console history and wiping clipboard contents. By abusing trusted cloud services, avoiding static payloads, and relying on native Windows encryption methods, the stealer can operate quietly and effectively. Its combination of social engineering, stealth persistence, modular payload execution, and secure exfiltration channels highlights the increasing sophistication seen in modern commodity malware families.
Bitpixie Exploit Revives Concerns Over BitLocker Default Configuration
A recently demonstrated exploit known as Bitpixie (CVE-2023-21563) has revived concerns around Microsoft’s BitLocker encryption, showing how attackers can bypass protection in under five minutes using software-only methods. Though the vulnerability was initially identified in 2022, it has gained new attention following a presentation at the 38C3 conference in late 2024, where researchers detailed fully reproducible, non-invasive techniques requiring only brief physical access to the device. Unlike older BitLocker bypass attacks involving hardware-level tampering or TPM sniffing, Bitpixie leverages bootloader downgrades via PXE boot or Windows PE environments, both methods relying solely on signed Microsoft components. This makes the attack viable on many systems, including secured-core PCs, as long as pre-boot authentication is not enforced. The attack chain allows adversaries to extract the BitLocker Volume Master Key (VMK) from system memory, giving them full access to encrypted drives without triggering detection or leaving forensic traces. Organizations relying on TPM-only BitLocker configurations—still the default across many enterprise and consumer Windows installations—are particularly exposed. Systems used in field operations, public environments, or anywhere physical access cannot be tightly controlled are at higher risk. Mitigation efforts should focus on enabling pre-boot authentication methods, including requiring a PIN or USB key before system boot, which blocks this attack vector entirely. Additional hardening steps include applying Microsoft’s KB5025885 update to revoke vulnerable bootloaders, disabling network boot via BIOS/UEFI, and enforcing Secure Boot policies. While a full architectural fix involving updated certificates is not expected until 2026, these interim controls are essential to close the gap. Bitpixie underscores the importance of securing pre-boot environments and reviewing encryption configurations beyond vendor defaults.
