Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government

March 17, 2026, 7:48 p.m.

Description

A sophisticated phishing campaign targeting a Ukrainian government agency exploits a cross-site scripting vulnerability in Zimbra Collaboration Suite. The attack, attributed to a Russian APT group, uses a seemingly innocuous internship inquiry email to deliver a malicious JavaScript payload. When opened in a vulnerable Zimbra webmail session, the script silently executes, harvesting credentials, session tokens, 2FA codes, and mailbox contents. The multi-stage attack employs obfuscation techniques, SOAP API abuse, and dual-channel exfiltration via DNS and HTTPS. The campaign demonstrates the evolution of webmail-focused intrusions, relying on browser-resident stealers rather than traditional malware binaries.

External References

https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/
https://otx.alienvault.com/pulse/69b975d80c8af764ef55c18f
Tags
phishing
russia
ukraine
exfiltration
government
xss
webmail
spypress.zimbra
CVE-2025-66376
2026-03-17
browser-stealer
soap api
zimbra

Date

  • Created: March 17, 2026, 3:40 p.m.
  • Published: March 17, 2026, 3:40 p.m.
  • Modified: March 17, 2026, 7:48 p.m.

Attack Patterns

  • SpyPress.ZIMBRA
  • APT28

Additional Informations

  • Government
  • i.zimbrasoft.com.ua
  • zimbrasoft.com.ua
  • js-l1wt597cimk.i.zimbrasoft.com.ua
  • js-26tik3egye4.i.zimbrasoft.com.ua
  • Ukraine

Linked vulnerabilities

CVE-2025-66376

7.2
    Zimbra
  • Zimbra Collaboration
Published: January 5, 2026