APT28, also known as Fancy Bear, exploited Roundcube webmail vulnerabilities to deploy the Roundish toolkit. This toolkit enabled credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction from mail.dmsu.gov.ua.