← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops
WHITE Fancy_bear PetrP.73 2026-03-20 Modified: 2026-04-19
39
IOCs
MEDIUM VOLUME
The reported findings on FancyBear, a Russian Advanced Persistent Threat (APT), detail a significant operational security lapse in a campaign known as Operation Roundish. This analysis stemmed from an open directory exposed in January 2026, revealing extensive data including over 2,800 emails and 240 sets of stolen credentials. The exfiltration methods used by FancyBear included creating forwarding rules in victims’ email accounts, enabling silent capture and redirection of emails to attacker-controlled mailboxes.
fancybearroundcubecertuatotpip addressseptemberc2 logctrlaltintelc2 serversquirrelmailukrainewindowsednitaugustfebruarymetasploitloopzimbraerrorimpactprotonphishingpowershellinterceptioncaptureblizzardalbaniaroundcube xssscripttaker.jssquirrelmail xssxss
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (8 / 39 total)
All CVE URL domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://203.161.50.145:8081 2026-03-20
URL http://zhblz.com/zJ2w9x 2026-03-20
URL http://zhblz.com/zJ2w9x/uploadfile/ 2026-03-20
URL http://zhblz.com/zJ2w9x?log= 2026-03-20
URL https://zhblz.com/adbook.js 2026-03-20
URL https://zhblz.com/zJ2w9x 2026-03-20
URL https://zhblz.com/zJ2w9x/uploadfile/` 2026-03-20
URL https://zhblz.com/zJ2w9x?log=t_a_b_f_u_ 2026-03-20
References (1)
↗ https://ctrlaltintel.com/threat%20research/FancyBear/