APT28 Exploits Zimbra XSS Flaw to Breach Ukrainian Government Webmail
APT28, the Russia-linked threat group associated with the GRU, used a phishing campaign dubbed Operation GhostMail to target Ukrainian government entities by exploiting Zimbra Collaboration Suite vulnerability CVE-2025-66376. The campaign targeted the State Hydrographic Service of Ukraine, a critical infrastructure body supporting maritime navigation and hydrographic operations. The attack used a single email written in Ukrainian and disguised as a routine internship inquiry; instead of relying on attachments or links, the malicious payload was embedded directly in the HTML body and executed when opened in a vulnerable Zimbra webmail session.
Researchers said the stored XSS flaw allowed attackers to run obfuscated JavaScript in the victim’s browser, enabling theft of login credentials, session tokens, backup two-factor authentication codes, browser-stored passwords, and up to 90 days of mailbox data. Reporting also notes the flaw was patched in November and later added by CISA to its Known Exploited Vulnerabilities catalog, with U.S. federal civilian agencies ordered to remediate within two weeks under BOD 22-01. The operation stood out for abusing a trusted webmail environment to hijack authenticated sessions without deploying traditional malware, helping the intrusion evade many standard phishing and endpoint defenses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2025-66376 to KEV catalog
CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog after the flaw was observed in active exploitation. The agency ordered U.S. federal civilian agencies to remediate affected Zimbra servers within two weeks, with reporting citing an April 1, 2026 deadline.
Zimbra patches CVE-2025-66376 in supported releases
Synacor released fixes for CVE-2025-66376 in Zimbra versions 10.1.13 and 10.0.18. The vulnerability involved insufficient sanitization of CSS @import directives in Classic UI, enabling attacker-controlled JavaScript execution when a victim opened a malicious email.
APT28 linked to exploitation of Zimbra flaw CVE-2025-66376
Seqrite Labs attributed the campaign with medium confidence to APT28, the GRU-linked group also known as Fancy Bear. The attackers exploited the stored XSS flaw CVE-2025-66376 in Zimbra Classic UI to steal credentials, session tokens, backup 2FA codes, browser-saved passwords, and up to 90 days of mailbox data.
Operation GhostMail targets Ukrainian government via Zimbra phishing
A Russian espionage campaign later tracked as Operation GhostMail targeted Ukrainian government entities, including the State Hydrographic Service/State Hydrology Agency and a national maritime agency, using Ukrainian-language phishing emails. The emails embedded the full exploit chain in HTML content, requiring no attachment or link.
GhostMail command-and-control domains established
Researchers reported that two command-and-control domains used in the Zimbra exploitation campaign were set up on January 20, 2026. This infrastructure later supported the Ukraine-targeted phishing and data-exfiltration activity tied to Operation GhostMail.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Russian APT weaponizes critical Zimbra bug in Ukraine-targeted intrusions | brief | SC Media
scworld.com
Open sourceUS disrupts Handala hacktivist websites | brief | SC Media
scworld.com
Open sourceNew Speagle malware hijacks Cobra DocGuard for data theft | brief | SC Media
scworld.com
Open sourceRussian APT Exploits Zimbra XSS to Target Ukrainian Government in ‘Operation GhostMail’
cybersecuritynews.com
Open sourceRussian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
securityaffairs.com
Open sourceRussian hackers exploit Zimbra flaw to breach Ukrainian maritime agency | The Record from Recorded Future News
therecord.media
Open sourceRussian hackers exploit Zimbra flaw in Ukrainian govt attacks
bleepingcomputer.com
Open sourceOperation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Reuses Old Access and Roundcube Exploits Against Ukrainian Institutions
Ukrainian officials warned that Russia-linked hackers are revisiting earlier compromises to regain access to government and defense networks, testing whether old footholds, unpatched vulnerabilities, and previously stolen credentials still work. CERT-UA said the activity reflects a broader shift from smash-and-grab credential theft toward persistent access, with initial intrusion methods also evolving beyond phishing to more tailored social engineering, including phone calls and video chats in fluent Ukrainian before malicious files are delivered through messaging apps. Agencies tied the activity to groups including **APT28** and **Void Blizzard**, with the security and defense sector remaining the top target because disruptions there could affect the war effort. Ukraine also confirmed a long-running cyber-espionage campaign, tracked since 2023 and attributed by Western researchers to **APT28** (`Fancy Bear`, `BlueDelta`, `Forest Blizzard`), that targeted prosecutors, anti-corruption bodies, and other local government entities through **Roundcube** webmail vulnerabilities enabling code execution when a victim opened an email. Reuters reported that more than 170 email accounts belonging to prosecutors and investigators were compromised in recent months, and CERT-UA identified three waves of related attacks. Officials said some allegedly stolen material was later published online, though reviews indicated the leaks likely did not include confidential data, and warned the operation could still be used to fuel disinformation aimed at eroding trust in Ukrainian institutions.
Apr 24, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
Apr 28, 2026