Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Fancy Bear Exposes Stolen Credentials, 2FA Secrets from NATO-Linked Targets
Threats

Fancy Bear Exposes Stolen Credentials, 2FA Secrets from NATO-Linked Targets

Key Takeaways Russian state-sponsored hacking group Fancy Bear (APT28) inadvertently exposed its operational server, revealing details of an extensive espionage campaign. The campaign targeted...

Jennifer sherman
Jennifer sherman
March 18, 2026 4 Min Read
48 0

Key Takeaways

  • Russian state-sponsored hacking group Fancy Bear (APT28) inadvertently exposed its operational server, revealing details of an extensive espionage campaign.
  • The campaign targeted government and military organizations across Europe, including NATO member states and Ukraine, compromising credentials, 2FA secrets, and confidential communications.
  • Fancy Bear employed a sophisticated JavaScript module to silently exfiltrate TOTP 2FA secrets from Roundcube webmail users, bypassing multi-factor authentication without user interaction.
  • Affected organizations must immediately rotate TOTP secrets, audit email forwarding rules, block identified C2 infrastructure, and patch Roundcube for CVE-2023-43770.

Russian APT28 Exposes Espionage Campaign Targeting NATO-Linked Entities

A significant operational security lapse by Fancy Bear, a prominent hacking group linked to the Russian state, has offered cybersecurity researchers an unprecedented look into an active espionage operation. This campaign specifically targeted European government and military organizations, revealing extensive data exfiltration and sophisticated bypass techniques.

Table Of Content

  • Key Takeaways
  • Russian APT28 Exposes Espionage Campaign Targeting NATO-Linked Entities
  • How Fancy Bear Silently Bypassed Two-Factor Authentication
  • What You Should Do

On March 11, 2026, threat intelligence firm Hunt.io disclosed its findings on a campaign it named “Operation Roundish.” This designation arose from an exposed open-directory first identified on January 13, 2026, which provided initial insights into Fancy Bear’s activities.

Fancy Bear, also known as APT28, Forest Blizzard, or Sednit, is widely recognized as Russia’s GRU Military Intelligence Unit 26165, according to assessments by the UK’s NCSC.

What began as a targeted webmail exploitation effort had been underway for over a year before the group’s operational error left its server vulnerable and exposed to public scrutiny.

The exposure originated from a NameCheap Virtual Private Server (VPS) located in the United States, operating on the IP address 203.161.50.145.

Remarkably, this same server had been publicly linked to Fancy Bear by Ukraine’s CERT-UA as early as September 2024. Despite this public attribution, the group continued to operate from the compromised infrastructure for more than 500 days without migrating to new systems.

Within the exposed directory, researchers discovered a trove of sensitive information, including 2,800 exfiltrated government and military emails, 240 sets of stolen credentials (comprising passwords and TOTP 2FA secrets), 140 unauthorized silent email-forwarding rules, and 11,500 contact addresses harvested from victim address books across multiple countries.

Analysts at Ctrl-Alt-Intel subsequently uncovered a second exposed open-directory on the identical server, which had not been included in Hunt.io’s initial January 2026 archive. This additional directory contained Fancy Bear’s complete command-and-control (C2) source code, supplementary JavaScript payloads, extensive campaign telemetry logs, and further exfiltrated data, collectively offering a nearly comprehensive overview of the entire operation.

Victims identified spanned Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Email addresses associated with four NATO member states, including infrastructure belonging to NATO headquarters itself, were recovered directly from the stolen contact data.

The targeting pattern exhibited clear geopolitical motivations. Ukrainian regional prosecutors, likely involved in war crimes investigations, constituted the largest single victim group. Other compromised entities included Romania’s Air Force, Greece’s National Defence General Staff, Serbia’s Ministry of Defence, and various Bulgarian government organizations.

The strategic selection of targets is further underscored by recent geopolitical developments: Romania, Bulgaria, and Greece had formalized a military mobility agreement in July 2024, and Greece had participated in training Ukrainian F-16 pilots. These factors strongly suggest an intelligence-driven targeting strategy rather than opportunistic intrusions.

How Fancy Bear Silently Bypassed Two-Factor Authentication

One of the most concerning technical discoveries in this campaign was Fancy Bear’s sophisticated method for silently stealing TOTP-based 2FA secrets from victims who believed their accounts were fully protected. The group deployed a JavaScript module named keyTwoAuth.js, designed to execute entirely within the victim’s already authenticated Roundcube webmail session. This technique meant no additional clicks or separate login prompts were ever required from the target, making the compromise invisible to the user.

Upon activation of the XSS payload, keyTwoAuth.js initiated an HTTP request to Roundcube’s 2FA settings page specifically for the twofactorgauthenticator plugin. It then meticulously parsed the returned HTML, extracting five hidden password fields, which included one TOTP secret and four recovery codes. This data was subsequently Base64-encoded and quietly transmitted to Fancy Bear’s C2 server at zhblz.com, using the log prefix ktfu. With both the victim’s password and TOTP secret successfully acquired, Fancy Bear could generate valid authentication codes at any future time, thereby completely circumventing two-factor protection without requiring physical access to the victim’s device.

Ctrl-Alt-Intel recovered 516 log entries under the ktfu prefix, corresponding to 108 unique victim email addresses. Of these, 256 accounts had genuine TOTP secrets stolen, impacting targets within Romania’s Air Force, Greece’s GEETHA, Ukraine’s Asset Recovery Agency, and Serbia’s Ministry of Defence. The remaining 260 entries returned “nokey,” indicating that these accounts had no 2FA configured at all, rendering them even more vulnerable.

What You Should Do

  • Rotate TOTP Secrets: All organizations utilizing Roundcube with the twofactorgauthenticator plugin should consider all existing TOTP secrets potentially compromised and initiate an immediate rotation.
  • Audit Email Forwarding Rules: Administrators must thoroughly audit Sieve email-filtering rules for any unauthorized forwarding entries, especially those named “SystemProtect” or “SystemHealthChek.”
  • Block C2 Infrastructure: Immediately block all network connections to the identified C2 IP address 203.161.50.145 and the domain zhblz.com at your perimeter and internal network controls.
  • Patch Roundcube: Apply the security patch for Roundcube CVE-2023-43770 without delay.
  • Monitor Webmail Infrastructure: Enhance monitoring of webmail infrastructure for any signs of XSS injection or other anomalous activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

CVEExploitPatchSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

New Malware Campaigns Turn Network Devices Into DDoS Nodes and Crypto-Mining Bots

Next Post

LeakNet Ransomware Uses ClickFix Lures and Deno Loader for Stealthy Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us