Hackers linked to APT28, a Russian state-backed threat group tied to the GRU, are exploiting a Zimbra Collaboration Suite vulnerability in attacks against Ukrainian government entities.
The flaw, tracked as CVE-2025-66376, is a high-severity stored cross-site scripting vulnerability that was patched in early November. Researchers say attackers can exploit it without authentication to achieve remote code execution, compromise the Zimbra server, and access the victim’s email account.
The U.S. Cybersecurity and Infrastructure Security Agency has now added the bug to its catalog of vulnerabilities known to be exploited in the wild. CISA also ordered Federal Civilian Executive Branch agencies to secure affected servers within two weeks under Binding Operational Directive 22-01.
Although CISA did not share more details about the attacks, Seqrite Labs said the flaw was used by APT28 in a phishing campaign targeting Ukraine. One of the reported targets was the Ukrainian State Hydrology Agency, which operates under the Ministry of Infrastructure and provides maritime, navigational, and hydrographic support.
Seqrite named the campaign Operation GhostMail. According to the researchers, the phishing emails did not contain malicious attachments, suspicious links, or macros. Instead, the full attack was hidden inside the HTML body of a single email.
When the victim opened the email in a vulnerable Zimbra webmail session, an obfuscated JavaScript payload ran silently in the browser. Seqrite said the script then began stealing credentials, session tokens, backup two-factor authentication codes, browser-saved passwords, and mailbox contents going back 90 days. The stolen data was exfiltrated over both DNS and HTTPS.
Zimbra vulnerabilities have been repeatedly used in cyberattacks over the past few years, including by Russian state-sponsored groups. In 2023, the Winter Vivern cyberespionage group used another XSS flaw to target Zimbra webmail portals and spy on NATO-aligned organizations, government officials, military personnel, and diplomats.
In October 2024, U.S. and U.K. cyber agencies also warned that APT29, another Russian-linked hacking group, was attacking vulnerable Zimbra servers at scale using a flaw that had previously been used to steal email credentials.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Zimbra remains widely used around the world by government agencies and businesses, making it a frequent target for threat actors looking to gain access to sensitive communications.
