“`html
A Russian state-affiliated threat entity has initiated a focused cyber assault on a Ukrainian governmental organization, utilizing a cross-site scripting (XSS) flaw in Zimbra Collaboration Suite to extract credentials and confidential email information.
Referred to as “Operation GhostMail,” this initiative is notable for its total lack of conventional attack signals — no harmful file attachments, no dubious hyperlinks, and no macros.
The assault was conveyed via a phishing email received on January 22, 2026, by the Ukrainian State Hydrology Agency — a vital national infrastructure agency under the Ministry of Infrastructure in Ukraine.
The email, composed in Ukrainian, masqueraded as a routine internship inquiry from an alleged fourth-year student at the National Academy of Internal Affairs (NAVS).
The communication was phrased to seem innocuous, even containing an apology should it reach an unintended recipient — a typical method to dispel any doubts of the target.
Seqrite analysts uncovered the operation after the phishing message was uploaded to VirusTotal on February 26, 2026, with zero detections at that time.
Hidden within the email’s HTML content was a substantial base64-encoded JavaScript payload, concealed in a display:none div block.
The exploit focused on CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration Suite fixed in ZCS versions 10.0.18 and 10.1.13 in November 2025.
.webp)
This vulnerability stems from inadequate sanitization of HTML content via CSS @import directives. Upon opening the email in Zimbra’s Classic UI with an active authenticated session, the payload executes discreetly in the user’s browser.
Drawing on technical similarities with previously documented patterns of exploiting Zimbra and the geopolitical context of the target, Seqrite associated Operation GhostMail with APT28 (Fancy Bear) with moderate confidence.
The targeting of a Ukrainian governmental agency responsible for maritime and hydrological infrastructure corresponds with the cyber operations sponsored by the Russian state observed against public-sector entities amid the ongoing conflict.
Once the payload was executed, the intruder covertly collected session tokens, login details, backup two-factor authentication codes, browser-stored passwords, and up to 90 days’ worth of the victim’s email records — all without triggering any alarm.
Data was exfiltrated through both HTTPS and DNS channels, complicating detection via standard network filtering mechanisms.
Two-Stage Infection Process
The assault occurred in two distinctly defined phases, both executing entirely within the victim’s browser without writing any data to disk.
In Stage 1, the JavaScript loader first verified whether a script with the ID “zmb_pl_v3_” was already in operation, thus preventing duplicate injections.
It subsequently decoded a base64 payload using the atob() function and applied XOR decryption with the key “twichcba5e” to unpack the ultimate JavaScript payload.
%20(Source%20-%20Seqrite).webp)
This decoded script was injected into the top-level document, escaping the webmail’s iframe sandbox and inheriting comprehensive access to the browser’s cookies, localStorage, and same-origin SOAP API permissions.
Stage 2 introduced the complete browser stealer, which began by creating a unique 12-character alphanumeric token for each victim, serving as an identifier in every command-and-control (C2) request.
The hardcoded C2 domain was zimbrasoft[.]com[.]ua, registered on January 20, 2026 — two days prior to the phishing email’s arrival. Nine simultaneous data-collection operations were initiated, maximizing data extraction within a single browser session.
These operations secured email content, server configurations, CSRF tokens, mobile device profiles, OAuth application access, backup 2FA codes, and browser-autofilled credentials.
The assault also silently activated IMAP access on the victim’s account and created a persistent app-specific password labeled “ZimbraWeb,” granting the intruder ongoing mailbox access that withstands a complete password reset.
Organizations utilizing Zimbra are urged to promptly upgrade from version 8.8.15 to at least version 10.1.x.
Administrators ought to inspect all accounts for app-specific passwords titled “ZimbraWeb” and revoke them without delay.
SOAP API monitoring should be implemented, as calls to GetScratchCodesRequest and CreateAppSpecificPasswordRequest are infrequently observed during standard usage and necessitate immediate scrutiny.
DNS filtering must be enforced against the identified IOC domains, and IMAP or POP3 access should be terminated for accounts lacking a clear business rationale.
Employees must also be aware that a clean-appearing email devoid of attachments and external hyperlinks can still transport a fully functional malicious payload concealed within its HTML content.
“`