A Russian state-linked threat actor has launched a targeted cyberattack against a Ukrainian government agency, exploiting a cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite to steal credentials and sensitive email data. <\/p>\n
Dubbed \u201cOperation GhostMail,\u201d the campaign stands out for its complete absence of traditional attack indicators \u2014 no malicious file attachments, no suspicious links, and no macros.\u200b<\/p>\n
The attack was delivered through a phishing email<\/a> received on January 22, 2026, by the Ukrainian State Hydrology Agency \u2014 a critical national infrastructure body under Ukraine\u2019s Ministry of Infrastructure. <\/p>\n Written in Ukrainian, the email posed as a routine internship inquiry from a supposed fourth-year student at the National Academy of Internal Affairs (NAVS). <\/p>\n The message was worded to appear harmless, even including an apology in case it reached the wrong inbox \u2014 a classic tactic to disarm recipient suspicion.\u200b<\/p>\n Seqrite researchers identified the campaign<\/a> after the phishing email was uploaded to VirusTotal on February 26, 2026, recording zero detections at the time. <\/p>\n Concealed inside the email\u2019s HTML body was a large base64-encoded JavaScript payload, hidden within a\u00a0 The exploit targeted CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration Suite patched in ZCS versions 10.0.18 and 10.1.13 in November 2025. <\/p>\n The flaw involves insufficient sanitization of HTML content using CSS\u00a0 Based on technical overlaps with previously documented Zimbra exploitation<\/a> patterns and the geopolitical nature of the target, Seqrite attributed Operation GhostMail to APT28 (Fancy Bear) with medium confidence. <\/p>\n The targeting of a Ukrainian government agency responsible for maritime and hydrological infrastructure aligns with Russian state-sponsored cyber operations observed against public-sector institutions amid the ongoing conflict.\u200b<\/p>\n Once the payload executed, the attacker silently harvested session tokens, login credentials, backup two-factor authentication codes, browser-saved passwords, and up to 90 days of the victim\u2019s email archives \u2014 all without raising a single alert. <\/p>\n Data was exfiltrated over both HTTPS and DNS channels, making detection through conventional network filtering particularly difficult.\u200b<\/p>\n The attack operated in two clearly defined stages, both running entirely within the victim\u2019s browser without ever writing anything to disk.\u200b<\/p>\n In Stage 1, the JavaScript loader first checked whether a script with the ID \u201czmb_pl_v3_\u201d was already running, preventing duplicate injections. <\/p>\n It then decoded a base64 payload using the\u00a0 This decoded script was injected into the top-level document, escaping the webmail\u2019s iframe sandbox and inheriting full access to the browser\u2019s cookies, localStorage, and same-origin SOAP API rights.\u200b<\/p>\n Stage 2 introduced the full browser stealer, which began by generating a unique 12-character alphanumeric token per victim, used as an identifier in every command-and-control (C2) request. <\/p>\n The hardcoded C2 domain was\u00a0 These operations captured email content, server configuration, CSRF tokens, mobile device profiles, OAuth application access, backup 2FA codes, and browser-autofilled credentials. <\/p>\n The attack also silently enabled IMAP access on the victim\u2019s account and created a persistent app-specific password named \u201cZimbraWeb,\u201d giving the attacker long-term mailbox access that survives a full password reset.\u200b<\/p>\n Organizations running Zimbra should immediately upgrade from version 8.8.15 to at least version 10.1.x. <\/p>\n Administrators should audit all accounts for app-specific passwords named \u201cZimbraWeb\u201d and revoke them without delay. <\/p>\n SOAP API monitoring should be deployed, as calls to\u00a0 DNS filtering<\/a> should be enforced against the identified IOC domains, and IMAP or POP3 access should be disabled for accounts without a clear business need. <\/p>\n Staff must also understand that a clean-looking email with no attachments and no external links can still deliver a fully functional malicious payload<\/a> hidden inside its HTML body.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Russian APT Exploits Zimbra XSS to Target Ukrainian Government in \u2018Operation GhostMail\u2019<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\ndisplay:none<\/code>\u00a0div block. <\/p>\n![\"Phishing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgXa7Gvfbf5SaAScg6_X9FQw8ueG8-LSusXifOnJB6ncnV_ujlfbVvbs6qyIB_79IdH9z2FtqB9EPHo5ZwPFSUkRNUPhWtxKgcxPQoj8GDydE2xiPP_6OgOrcBQsUC5rohNbiEKh1Z-rkmEjWopbRMB5dDU1V0fOx6I0Ywybq6y_R4I4xFtMI6adCVvSWQ\/s16000\/Phishing%2520email%2520%28Source%2520-%2520Seqrite%29.webp?ssl=1\")
@import<\/code>\u00a0directives. Once a victim opened the email in Zimbra\u2019s Classic UI with an active authenticated session, the payload executed silently in the browser.\u200b<\/p>\nTwo-Stage Infection Mechanism<\/strong><\/h2>\n
atob()<\/code>\u00a0function and applied XOR decryption with the key \u201ctwichcba5e\u201d to unpack the final JavaScript payload. <\/p>\n![\"Decoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_Ax6-7pBidtLaBneEa1QWX72hA35HKapvEPrSYjnvixiRyexmHTOu_u1tVaV0OMzXSMmKn44VViAHI2A6R_FsApyRofe2W70i-qgCvOhirsd_UFnMsaQ6H-pnznhYbmf0OtGszANgIEG2sMBU2rHiO8yXZLOPo3zDwFNxyro7Jbqe579aVm6K-BB0b7g\/s16000\/Decoded%2520JavaScript%2520Loader%2520%28Stage-1%29%2520%28Source%2520-%2520Seqrite%29.webp?ssl=1\")
zimbrasoft[.]com[.]ua<\/code>, registered on January 20, 2026 \u2014 two days before the phishing email arrived. Nine parallel data-collection operations launched simultaneously, maximizing data yield within a single browser session. <\/p>\nGetScratchCodesRequest<\/code>\u00a0and\u00a0CreateAppSpecificPasswordRequest<\/code>\u00a0are rarely seen in normal usage and warrant immediate investigation. <\/p>\n