Pro-Russian hackers target European governments with email flaw

26 Oct 2023

Image: © Lerbank-bbk22/

ESET Research claims this exploit let cyberattackers steal data if a victim simply viewed the malicious email in a web browser.

A pro-Russian hacking group used a Roundcube exploit to target the emails of European governments, according to a new report by ESET Research.

The report claims that a threat actor known as Winter Vivern began exploiting a Roundcube mail vulnerability to target government entities and a think tank earlier this month.

The report claims Winter Vivern was able to exploit the vulnerability by sending a “legitimate-looking email” about Microsoft Outlook. This email was “specially crafted” to trigger the exploit.

“The vulnerability can be used to load arbitrary JavaScript code in the Roundcube webpage, allowing an attacker to access and exfiltrate user’s data such as email messages,” ESET Research said on X.

The report also claimed that the victims did not have to interact with the email to trigger the exploit, as it was activated simply by viewing the message in a web browser. ESET said it contacted Roundcube about the vulnerability and that it was patched within a few days.

“We would like to thank the Roundcube developers for their quick reply and for patching the vulnerability in such a short time frame,” ESET Research said.

The report said with “low confidence” that Winter Vivern is linked to a “sophisticated Belarus-aligned group” called MoustachedBouncer. A report from Sentinel Labs in March described Winter Vivern as an espionage group that appears to support the interests of Belarus and Russia’s governments.

“The threat actor employs various tactics, such as phishing websites, credential phishing and deployment of malicious documents, that are tailored to the targeted organisation’s specific needs,” Sentinel Labs said. “This results in the deployment of custom loaders and malicious documents, which enable unauthorised access to sensitive systems and information.”

In March, Microsoft issued an Outlook patch after a “Russia-based threat actor” used an exploit to attack a “number of organisations in government, transportation, energy and military sectors in Europe”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic