Threat Intel - Russian APT Exploits Zimbra XSS Flaw
Basically, a Russian hacker group is using a flaw in Zimbra emails to steal information from users in Ukraine.
A Russian APT exploits a critical XSS flaw in Zimbra, targeting users in Ukraine. This attack uses HTML emails to run malicious scripts, risking user data. Immediate action is needed to mitigate the threat.
The Threat
A Russian Advanced Persistent Threat (APT) group, likely APT28, has exploited a critical Cross-Site Scripting (XSS) vulnerability in Zimbra, tracked as CVE-2025-66376. This flaw allows attackers to run malicious scripts through HTML emails. The vulnerability has a CVSS score of 7.2, indicating its high severity. By exploiting this flaw, attackers can take control of user accounts and compromise entire Zimbra environments, making it a significant threat to users, particularly in Ukraine.
The attack involves sending phishing emails that contain obfuscated JavaScript. When a victim opens the email, the script executes within their Zimbra session, allowing attackers to harvest sensitive information such as credentials, session tokens, and two-factor authentication (2FA) codes. This method of attack aligns with previous tactics used by Russian state-sponsored groups, emphasizing the ongoing cyber warfare targeting Ukraine.
Who's Behind It
The cyber espionage campaign is attributed to APT28, also known as Fancy Bear, a notorious group linked to the Russian government. This group has a history of targeting Ukrainian entities, particularly in the context of geopolitical tensions. The campaign, dubbed Operation GhostMail, demonstrates a sophisticated approach to social engineering, using compromised student email accounts to lend credibility to their phishing attempts.
On January 22, 2026, a national maritime agency was targeted using a compromised email, showcasing the group's focus on critical infrastructure in Ukraine. The targeting of government entities aligns with broader patterns of cyberattacks observed in the region, indicating a strategic effort to undermine Ukrainian stability.
Tactics & Techniques
The exploitation of CVE-2025-66376 involves a stored XSS vulnerability in Zimbra's Classic UI. Attackers can abuse CSS @import directives to execute scripts when the email is opened. This method not only allows for the theft of sensitive information but also enables persistent access to user accounts. The attackers utilize SOAP requests and dual-channel exfiltration methods via DNS and HTTPS to extract data, making detection and mitigation challenging.
The phishing emails are designed to appear legitimate, often masquerading as internship inquiries. This tactic increases the likelihood of user interaction with the malicious content. The campaign's infrastructure was established shortly before the attacks, indicating careful planning and execution by the threat actors.
Defensive Measures
To combat this threat, it is crucial for organizations using Zimbra to update to the latest versions, specifically 10.1.13 and 10.0.18, which address the XSS vulnerability. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to remediate the issue by April 1, 2026.
Users should be educated on the risks of opening unsolicited emails and the importance of verifying the sender's identity. Implementing robust email filtering solutions and multi-factor authentication can further enhance security against such phishing attacks. Organizations must remain vigilant and proactive in monitoring for signs of compromise, especially in light of the ongoing threat from APT groups targeting critical infrastructure.
Security Affairs