Operation GhostMail: Russian APT Exploits Zimbra XSS to Target…

216.73.217.22

Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government

· Published 17/03/2026 15:40 · Modified 17/03/2026 19:48

Essential information

Published: 17/03/2026 15:40
Modified: 17/03/2026 19:48
Tags: 2026-03-17 CVE-2025-66376 browser-stealer exfiltration government phishing russia soap api spypress.zimbra ukraine webmail xss zimbra
Related entities: 1 vulnerabilities (cve), 1 intrusion sets (apt), 21 techniques (mitre), 1 malware, 6 others

Description

A sophisticated phishing campaign targeting a Ukrainian government agency exploits a cross-site scripting vulnerability in Zimbra Collaboration Suite. The attack, attributed to a Russian APT group, uses a seemingly innocuous internship inquiry email to deliver a malicious JavaScript payload. When opened in a vulnerable Zimbra webmail session, the script silently executes, harvesting credentials, session tokens, 2FA codes, and mailbox contents. The multi-stage attack employs obfuscation techniques, SOAP API abuse, and dual-channel exfiltration via DNS and HTTPS. The campaign demonstrates the evolution of webmail-focused intrusions, relying on browser-resident stealers rather than traditional malware binaries.