APT28 Exploits Zimbra XSS Flaw to Breach Ukrainian Government Webmail
APT28, the Russia-linked threat group associated with the GRU, used a phishing campaign dubbed Operation GhostMail to target Ukrainian government entities by exploiting Zimbra Collaboration Suite vulnerability CVE-2025-66376. The campaign targeted the State Hydrographic Service of Ukraine, a critical infrastructure body supporting maritime navigation and hydrographic operations. The attack used a single email written in Ukrainian and disguised as a routine internship inquiry; instead of relying on attachments or links, the malicious payload was embedded directly in the HTML body and executed when opened in a vulnerable Zimbra webmail session.
Researchers said the stored XSS flaw allowed attackers to run obfuscated JavaScript in the victim’s browser, enabling theft of login credentials, session tokens, backup two-factor authentication codes, browser-stored passwords, and up to 90 days of mailbox data. Reporting also notes the flaw was patched in November and later added by CISA to its Known Exploited Vulnerabilities catalog, with U.S. federal civilian agencies ordered to remediate within two weeks under BOD 22-01. The operation stood out for abusing a trusted webmail environment to hijack authenticated sessions without deploying traditional malware, helping the intrusion evade many standard phishing and endpoint defenses.
Timeline
Mar 19, 2026
CISA adds CVE-2025-66376 to KEV catalog
CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog after the flaw was observed in active exploitation. The agency ordered U.S. federal civilian agencies to remediate affected Zimbra servers within two weeks, with reporting citing an April 1, 2026 deadline.
Mar 19, 2026
Zimbra patches CVE-2025-66376 in supported releases
Synacor released fixes for CVE-2025-66376 in Zimbra versions 10.1.13 and 10.0.18. The vulnerability involved insufficient sanitization of CSS @import directives in Classic UI, enabling attacker-controlled JavaScript execution when a victim opened a malicious email.
Mar 19, 2026
APT28 linked to exploitation of Zimbra flaw CVE-2025-66376
Seqrite Labs attributed the campaign with medium confidence to APT28, the GRU-linked group also known as Fancy Bear. The attackers exploited the stored XSS flaw CVE-2025-66376 in Zimbra Classic UI to steal credentials, session tokens, backup 2FA codes, browser-saved passwords, and up to 90 days of mailbox data.
Mar 19, 2026
Operation GhostMail targets Ukrainian government via Zimbra phishing
A Russian espionage campaign later tracked as Operation GhostMail targeted Ukrainian government entities, including the State Hydrographic Service/State Hydrology Agency and a national maritime agency, using Ukrainian-language phishing emails. The emails embedded the full exploit chain in HTML content, requiring no attachment or link.
Jan 20, 2026
GhostMail command-and-control domains established
Researchers reported that two command-and-control domains used in the Zimbra exploitation campaign were set up on January 20, 2026. This infrastructure later supported the Ukraine-targeted phishing and data-exfiltration activity tied to Operation GhostMail.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
3 more from sources like the record media, bleeping computer and blueteamsec
Related Stories
APT28 Reuses Old Access and Roundcube Exploits Against Ukrainian Institutions
Ukrainian officials warned that Russia-linked hackers are revisiting earlier compromises to regain access to government and defense networks, testing whether old footholds, unpatched vulnerabilities, and previously stolen credentials still work. CERT-UA said the activity reflects a broader shift from smash-and-grab credential theft toward persistent access, with initial intrusion methods also evolving beyond phishing to more tailored social engineering, including phone calls and video chats in fluent Ukrainian before malicious files are delivered through messaging apps. Agencies tied the activity to groups including **APT28** and **Void Blizzard**, with the security and defense sector remaining the top target because disruptions there could affect the war effort. Ukraine also confirmed a long-running cyber-espionage campaign, tracked since 2023 and attributed by Western researchers to **APT28** (`Fancy Bear`, `BlueDelta`, `Forest Blizzard`), that targeted prosecutors, anti-corruption bodies, and other local government entities through **Roundcube** webmail vulnerabilities enabling code execution when a victim opened an email. Reuters reported that more than 170 email accounts belonging to prosecutors and investigators were compromised in recent months, and CERT-UA identified three waves of related attacks. Officials said some allegedly stolen material was later published online, though reviews indicated the leaks likely did not include confidential data, and warned the operation could still be used to fuel disinformation aimed at eroding trust in Ukrainian institutions.
1 weeks ago
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
3 days ago
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
5 days ago