APT28 Hacks Gov’t Email via MDaemon Zero-Day Bug

A Russian state-linked hacking group has exploited a zero-day vulnerability in MDaemon webmail software as part of a broader cyber espionage campaign targeting government email servers, according to new research from cybersecurity firm ESET. Dubbed Operation RoundPress, the activity began in 2023 and focused on exploiting cross-site scripting (XSS) flaws in multiple webmail platforms, including Roundcube, Horde, Zimbra, and MDaemon.

The attackers leveraged these vulnerabilities to infiltrate webmail servers and gain unauthorized access to sensitive communications. Notably, the MDaemon exploit was a zero-day at the time of the intrusion, indicating the attackers’ advanced capabilities and prior knowledge of the flaw. The operation is attributed to APT28, a threat group with known ties to Russian intelligence services.

ESET’s findings highlight the persistent threat posed by sophisticated state-sponsored actors targeting critical communication infrastructure. The campaign underscores the importance of timely vulnerability disclosure and patch management across widely used email platforms.

More details: [The Hacker News](https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html).