Russian APT Exploits Zimbra XSS to Target Ukrainian Government in ‘Operation GhostMail’

A hacker linked to the Russian government has targeted a Ukrainian government agency with a cyberattack that takes advantage of a cross-site scripting (XSS) flaw in Zimbra Collaboration Suite to steal login information and private email data This article explores called operation ghostmail. . The campaign is called "Operation GhostMail" and is different from other attacks because it doesn't have any of the usual signs of an attack, like malicious file attachments, suspicious links, or macros.

The Ukrainian State Hydrology Agency, which is a key part of the country's infrastructure and is part of the Ministry of Infrastructure, got a phishing email on January 22, 2026. This is how the attack happened. The email, which was in Ukrainian, pretended to be a normal internship request from a supposed fourth-year student at the National Academy of Internal Affairs (NAVS).

The message was written to sound innocent, and it even included an apology in case it went to the wrong inbox, which is a common way to make the recipient less suspicious. You should set up SOAP API monitoring because calls to GetScratchCodesRequest and CreateAppSpecificPasswordRequest are very rare in normal use and need to be looked into right away. It should be against the law to use DNS filtering on the IOC domains that have been found, and accounts that don't have a clear business need should not be able to use IMAP or POP3.

Staff also needs to know that an email that looks clean and has no attachments or links to outside sites can still contain a fully functional malicious payload hidden in its HTML body.