{
  "name": "Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government",
  "slug": "operation-ghostmail-russian-apt-exploits-zimbra-xss-to-target-ukraine-government",
  "description": "A sophisticated phishing campaign targeting a Ukrainian government agency exploits a cross-site scripting vulnerability in Zimbra Collaboration Suite. The attack, attributed to a Russian APT group, uses a seemingly innocuous internship inquiry email to deliver a malicious JavaScript payload. When opened in a vulnerable Zimbra webmail session, the script silently executes, harvesting credentials, session tokens, 2FA codes, and mailbox contents. The multi-stage attack employs obfuscation techniques, SOAP API abuse, and dual-channel exfiltration via DNS and HTTPS. The campaign demonstrates the evolution of webmail-focused intrusions, relying on browser-resident stealers rather than traditional malware binaries.",
  "published": "2026-03-17T14:40:08+00:00",
  "created_at": "2026-03-17T14:40:08+00:00",
  "modified_at": "2026-03-17T18:48:07+00:00",
  "created_at_opencti": "2026-03-17T14:40:08+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-17",
    "CVE-2025-66376",
    "browser-stealer",
    "exfiltration",
    "government",
    "phishing",
    "russia",
    "soap api",
    "spypress.zimbra",
    "ukraine",
    "webmail",
    "xss",
    "zimbra"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "33b56870-067b-40a3-8e95-03459d8a008d",
        "name": "SpyPress.ZIMBRA",
        "slug": "spypresszimbra"
      }
    ],
    "intrusion_sets": [
      {
        "id": "2e5c75e1-c481-46c4-8d26-f0774a3457fa",
        "name": "APT28",
        "slug": "apt28"
      }
    ],
    "attack_patterns": [
      {
        "id": "2ab37c37-62b9-4750-bfb0-c692ccdd36ac",
        "name": "T1114.002"
      },
      {
        "id": "e73b317e-ea92-49b4-a45d-051f7279aced",
        "name": "T1213"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "6b5f1e68-aec7-4ea0-9777-62156da790a7",
        "name": "T1069"
      },
      {
        "id": "5882a135-5b7e-4caf-93e8-80f7df41cef2",
        "name": "T1564.001"
      },
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "d9601f18-8c35-4539-bca7-d0f00c17cb2e",
        "name": "T1087.003"
      },
      {
        "id": "415f839d-5ae7-41fb-92c3-090f3226055d",
        "name": "T1586.002"
      },
      {
        "id": "469ac6f1-45e1-4965-b1fa-0bb3e7def5ae",
        "name": "T1111"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "d955a391-6fd0-4eb2-8767-973c39c761e0",
        "name": "T1120"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2",
        "name": "T1071.004"
      },
      {
        "id": "b5b8a750-44c3-455d-8b8c-a29ae078f148",
        "name": "T1098.001"
      },
      {
        "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5",
        "name": "T1203"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-66376"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "i.zimbrasoft.com.ua"
      },
      {
        "id": "",
        "name": "zimbrasoft.com.ua"
      },
      {
        "id": "",
        "name": "js-l1wt597cimk.i.zimbrasoft.com.ua"
      },
      {
        "id": "",
        "name": "js-26tik3egye4.i.zimbrasoft.com.ua"
      }
    ]
  },
  "external_refs": [
    "https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/",
    "https://otx.alienvault.com/pulse/69b975d80c8af764ef55c18f"
  ]
}