Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 22, 2026 · 6 min read

Russia's Military Hackers Hid an Attack Inside a CSS Rule—Opening the Email Was Enough

APT28 exploited a Zimbra webmail flaw to steal 90 days of email, backup 2FA codes, and session tokens from Ukraine's maritime agency. The payload had no attachments and no links. It ran the moment a victim opened the message.

Most phishing attacks need you to click something. A link, an attachment, a button. Operation GhostMail needed nothing. On January 22, 2026, someone at Ukraine's State Hydrology Agency opened what looked like a routine internship inquiry. The email contained no attachments and no suspicious links. But hidden inside a malformed CSS rule was obfuscated JavaScript that executed the moment Zimbra rendered the message in the browser.

Within seconds, the script had stolen the victim's session token, harvested their backup two factor authentication codes, exported 90 days of email, and created a persistent backdoor password that would survive a password reset. The attackers exfiltrated everything through two separate channels, DNS tunneling and HTTPS, to ensure the data reached them even if one channel was blocked.

Computer monitor displaying an email inbox with subtle glowing code fragments emerging from one message representing a hidden email exploit

How CSS Became a Weapon

The vulnerability, tracked as CVE-2025-66376, is a stored cross site scripting flaw in Zimbra's Classic UI. Zimbra's email rendering engine is supposed to strip dangerous content from incoming HTML emails. It does a reasonable job with obvious threats like script tags and event handlers. But the attackers found that CSS @import directives could be used to fragment tag names in a way that fooled the sanitization engine while still executing in the browser.

The result was an SVG element with an onload handler that looked broken to Zimbra's security filter but reconstructed perfectly when the browser parsed it. The payload was base64 encoded and XOR encrypted with the key "twichcba5e," making it invisible to signature based email scanners.

When uploaded to VirusTotal on February 26, more than a month after the attack, the malicious email still registered zero detections from any antivirus engine.

Nine Operations in Parallel

Once the JavaScript executed, it ran nine simultaneous operations using Promise.all:

  • Email export. Downloaded 90 days of mailbox data through Zimbra's built in export endpoint.
  • Credential theft. Intercepted browser autofilled passwords from the login form.
  • Session hijacking. Stole the CSRF token from local storage.
  • 2FA bypass. Retrieved backup recovery codes through Zimbra's SOAP API.
  • Persistent access. Created an app specific password for ZimbraWeb that survives password resets.
  • Protocol enablement. Silently turned on IMAP access for future remote login.
  • OAuth enumeration. Listed all connected third party applications.
  • Device discovery. Catalogued all ActiveSync mobile devices connected to the account.
  • Server fingerprinting. Dumped the full Zimbra server configuration.

This is not a smash and grab operation. It is a comprehensive intelligence collection toolkit disguised as an email.

Who Is APT28

The attack has been attributed to APT28, also known as Fancy Bear, Pawn Storm, and Sofacy Group, with moderate confidence. APT28 is operated by Russia's GRU military intelligence agency and has a long history of targeting government agencies, media organizations, and political institutions across Europe and North America.

This is not APT28's first time exploiting Zimbra. The group ran a similar campaign called Operation RoundPress in 2024, targeting European government email systems through Zimbra vulnerabilities. The current attack shows refinement: the payload is more sophisticated, the exfiltration is dual channel, and the persistence mechanisms are more resilient.

APT28 has also been recently linked to phishing campaigns targeting Signal and WhatsApp accounts of politicians and journalists in Germany, part of a broader pattern of Russian intelligence targeting encrypted communications.

Why This Matters Beyond Ukraine

Zimbra is used by over 200,000 organizations worldwide, including government agencies, universities, and businesses. Any organization running an unpatched Zimbra instance with the Classic UI enabled is vulnerable to this exact attack. The fix has been available since November 2025 in versions 10.1.13 and 10.0.18, but adoption of email server patches is notoriously slow.

Meanwhile, a pro Russian group recently impersonated Ukraine's own CERT agency to distribute malware via fake security alerts, showing that Russian cyber operations continue to evolve in both sophistication and audacity. The attack also demonstrates a disturbing trend in email exploitation: weaponizing the email rendering engine itself. Traditional email security focuses on scanning attachments and checking links. Operation GhostMail had neither. The payload lived entirely within the HTML body of the email, hidden in CSS that most security tools do not inspect.

This technique is not limited to Zimbra. Any webmail client that renders HTML email in a browser context is potentially vulnerable to similar CSS based injection attacks. The difference is in the specific sanitization bypass, which varies by platform.

What Organizations Should Do

If your organization runs Zimbra, these steps are urgent:

  • Patch immediately. Update to Zimbra 10.1.13 or 10.0.18. CISA has mandated federal agencies patch by April 1, 2026.
  • Audit app specific passwords. Check for any unauthorized app passwords created through the SOAP API. These persist through password resets.
  • Review IMAP access. If IMAP was unexpectedly enabled on accounts, investigate immediately.
  • Check DNS logs. Look for unusual subdomain query patterns matching the format d-*.i.zimbrasoft.com.ua.
  • Consider switching from Classic UI. The modern Zimbra interface handles HTML sanitization differently and was not affected by this specific vulnerability.

The Bigger Picture

Operation GhostMail is a reminder that email remains the most exploited communication channel in state sponsored hacking. Not because people keep clicking phishing links, but because email systems themselves contain vulnerabilities that attackers can exploit without any user interaction beyond opening a message.

The attack also highlights a gap in email security: most tools focus on what is attached to or linked from an email, not what is embedded in its HTML structure. As attackers increasingly move their payloads into the rendering layer, this gap will only grow wider. For anyone relying on webmail for sensitive communications, this is another argument for understanding how email tracking and exploitation actually works at the technical level.