One JavaScript and Zero Clicks — That’s All It Took to Breach a Ministry of Defense
When simply reading an email means giving away passwords, contacts, and state secrets.
When simply reading an email means giving away passwords, contacts, and state secrets.
Since 2023, an unidentified hacker group has been carrying out a massive cyber-espionage operation dubbed RoundPress, aimed at stealing email communications from government bodies and critical infrastructure organizations across the globe. The campaign is still ongoing, constantly adapting to new vulnerabilities and exploitation methods.
The operation leverages both long-known and newly discovered vulnerabilities in popular webmail platforms, including Roundcube, Horde, MDaemon, and Zimbra. According to ESET, the attack targets include government agencies in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense contractors in Bulgaria, Ukraine, and Romania, and critical infrastructure in Bulgaria and Ukraine.
The attack begins with a carefully crafted phishing email disguised as a news update or political bulletin to inspire trust. The HTML body of the email contains malicious JavaScript exploiting an XSS (cross-site scripting) vulnerability in the webmail client. No clicks or downloads are required — simply opening the email in a browser is enough to trigger the attack.
The code doesn’t persist on the device and only runs during the email preview. It creates invisible input fields to trick the browser or password manager into autofilling credentials. The script also scans the page, collecting emails, contacts, login settings, session history, and even 2FA codes. All collected data is sent to pre-programmed command and control servers.
RoundPress exploited the following vulnerabilities:
- Roundcube – CVE-2020-35730 (CVSS: 6.1): A stored XSS that allows embedding JavaScript in the email body. Used in 2023.
- Roundcube – CVE-2023-43770 (CVSS: 6.1): A link-handling vulnerability, actively exploited in early 2024.
- MDaemon – CVE-2024-11182 (CVSS: 5.3): A zero-day vulnerability in the HTML parser, used in the second half of 2024. It allowed bypassing 2FA via App Passwords.
- Horde – Unspecified XSS: An attempt to exploit a legacy <img onerror> XSS, which was blocked in newer versions.
- Zimbra – CVE-2024-27443 (CVSS: 6.1): A calendar system flaw allowing script injection via the X-Zimbra-Calendar-Intended-For header.
Each script was tailored to the specific mail server's behavior, demonstrating a high degree of technical sophistication. While no new RoundPress activity has been observed in 2025, the tactics used can easily be adapted to newly emerging XSS vulnerabilities in modern webmail platforms.
This campaign underscores just how vulnerable legitimate webmail interfaces can be, even with minimal user interaction. One opened email can compromise an entire organization's security infrastructure — if the attackers know what they're doing.