An advanced persistent threat (APT) group linked to Russia has executed a cyber intrusion against a Ukrainian governmental agency. The attack exploited a cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite, enabling the theft of credentials and sensitive email information.
Details of Operation GhostMail
Known as “Operation GhostMail,” this campaign is notable for its lack of typical attack signatures. No malicious attachments or suspicious links were present in the attack vector. The operation was initiated on January 22, 2026, targeting the Ukrainian State Hydrology Agency. The phishing email, crafted as a student inquiry in Ukrainian, cleverly masked its malicious intent.
The email was submitted to VirusTotal on February 26, 2026, where Seqrite researchers detected it. At the time of submission, it had not been flagged by any security systems. The email’s HTML body contained a base64-encoded JavaScript payload hidden in a display:none block, which targeted a vulnerability in Zimbra’s software.
Exploitation of Zimbra XSS Vulnerability
The attack exploited vulnerability CVE-2025-66376, a stored XSS issue that Zimbra patched in versions 10.0.18 and 10.1.13 in November 2025. The flaw allowed insufficient sanitization of HTML content via CSS @import directives. Once the email was opened in Zimbra’s Classic UI, the payload executed quietly.
Seqrite attributed the attack to APT28, also known as Fancy Bear, based on similarities with past Zimbra exploitation tactics and the geopolitical nature of the target. The operation’s focus on Ukraine’s maritime and hydrological infrastructure aligns with Russian cyber activities targeting public-sector organizations amid ongoing tensions.
Two-Stage Attack Mechanism
The cyberattack unfolded in two stages, both occurring within the victim’s browser. In the first stage, a JavaScript loader checked for duplicate script injections before decoding a second payload. This payload was then injected into the browser, granting the attacker access to the victim’s cookies and browser storage.
In the second stage, the attacker deployed a browser stealer that generated a unique identifier per victim. Data was extracted through HTTPS and DNS channels, complicating detection. The hardcoded command-and-control domain was set up shortly before the attack began, facilitating data collection.
Mitigation Measures and Recommendations
Organizations using Zimbra are urged to upgrade to the latest software version. Administrators should inspect accounts for app-specific passwords and deploy SOAP API monitoring to detect suspicious requests. DNS filtering should be enforced against identified threat domains, and unnecessary IMAP or POP3 access should be disabled.
Employees need to be aware that even emails without attachments or external links can carry harmful payloads. Enhanced vigilance and security training are essential in identifying and mitigating such sophisticated threats.
