Russian Hackers Target Ukraine via Zimbra Vulnerability
▼ Summary
– Russian state-backed hackers (APT28) are exploiting a high-severity Zimbra vulnerability (CVE-2025-66376) to target Ukrainian government entities.
– The vulnerability is a stored cross-site scripting flaw that allows unauthenticated attackers to execute remote code and compromise email servers and accounts.
– U.S. cybersecurity agency CISA has added this flaw to its catalog and mandated federal agencies to patch their systems within two weeks.
– The attack uses a single phishing email with a malicious HTML payload that silently harvests credentials, session data, and mailbox contents when opened.
– Zimbra software is a frequent target for state-sponsored groups, with Russian hackers like Winter Vivern and APT29 also exploiting its vulnerabilities in widespread campaigns.
A sophisticated cyber espionage campaign is actively exploiting a critical vulnerability in Zimbra Collaboration Suite, targeting Ukrainian government agencies. The attack, attributed to the Russian state-backed hacking group APT28, leverages a stored cross-site scripting flaw tracked as CVE-2025-66376. This security weakness allows unauthenticated attackers to execute remote code, ultimately compromising the entire email server and gaining full access to the victim’s account. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added this vulnerability to its catalog of known exploited flaws, mandating federal agencies to patch their systems within a strict two-week deadline.
Security researchers at Seqrite Labs identified the ongoing operation, named GhostMail, which has specifically targeted Ukrainian critical infrastructure. One confirmed victim is the Ukrainian State Hydrology Agency, a vital entity responsible for navigational and maritime support. The attack methodology is notably stealthy. The phishing emails contain no malicious attachments or suspicious links; the entire malicious payload is embedded directly within the HTML body of a single message. When a recipient opens such an email within a vulnerable Zimbra webmail session, an obfuscated JavaScript payload silently activates.
This script operates in the background of the user’s browser, initiating a comprehensive data theft operation. It harvests login credentials, active session tokens, backup two-factor authentication codes, and even passwords saved within the browser itself. Furthermore, the malware exfiltrates the complete contents of the victim’s email mailbox, scouring messages from the previous ninety days. Researchers note that the stolen data is sent out using both DNS and HTTPS channels, making detection more challenging.
Zimbra’s widespread adoption by government and commercial organizations globally makes it a high-value target for advanced threat actors. Russian-linked hacking groups have a documented history of targeting Zimbra vulnerabilities to conduct espionage. For example, the Winter Vivern group, also associated with Russian interests, used a different reflected XSS flaw throughout 2023 to breach Zimbra portals and spy on communications within NATO-aligned governments and diplomatic circles.
In a separate but related warning last October, cybersecurity agencies from the United States and United Kingdom reported that another Russian group, APT29, was conducting mass-scale attacks on vulnerable Zimbra servers. That campaign exploited an older vulnerability to steal email credentials en masse. These repeated incidents underscore the persistent threat to this common collaboration platform. Organizations using Zimbra are urged to apply the latest security patches immediately to protect against these advanced and ongoing threats.
(Source: BleepingComputer)
