Back

APT28 Exploits Zimbra Vulnerability in Ongoing Attacks Against Ukraine

Severity: Critical (Score: 80.8)

Sources: Cybersecuritynews, Bleepingcomputer, Heise.De, Thehackernews, Scworld

Summary

Russian state-backed hackers from APT28 are actively exploiting a high-severity stored cross-site scripting vulnerability (CVE-2025-66376) in the Zimbra Collaboration Suite (ZCS) to target Ukrainian government entities. The flaw allows unauthenticated attackers to execute remote code and harvest sensitive information from compromised email accounts. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated that U.S. federal agencies secure their servers by April 1, 2026. The attacks involve phishing emails containing obfuscated JavaScript payloads that exploit the vulnerability when opened in a vulnerable Zimbra session. This campaign, named Operation GhostMail, has already targeted critical infrastructure, including the Ukrainian State Hydrology Agency. Security researchers have noted that Zimbra vulnerabilities have been frequently exploited in recent years, with multiple incidents reported involving state-sponsored actors. Organizations using Zimbra are urged to apply the available patches immediately to mitigate risks. Key Points: • APT28 is exploiting CVE-2025-66376 in attacks against Ukrainian government entities. • CISA has mandated U.S. federal agencies to secure Zimbra servers by April 1, 2026. • Phishing emails with obfuscated JavaScript payloads are the primary attack vector.

Key Entities

  • Apt28 (apt_group)
  • Apt29 (apt_group)
  • Cozy Bear (apt_group)
  • Fancy Bear (apt_group)
  • Midnight Blizzard (apt_group)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Zero-day Exploit (attack_type)
  • XSS (vulnerability)
  • Zimbra XSS Vulnerability (vulnerability)
  • Operation GhostMail (campaign)
  • Cisco (company)
  • Microsoft (company)
  • Synacor (company)
  • Ukrainian State Hydrology Agency (company)
  • Russia (country)
  • Ukraine (country)
  • CVE-2025-27915 (cve)
  • CVE-2025-66376 (cve)
  • CVE-2026-20131 (cve)
  • CVE-2026-20963 (cve)
  • Government (industry)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • T1203 - Exploitation for Client Execution (mitre_attack)
  • T1486 - Data Encrypted for Impact (mitre_attack)
  • Cisco FMC (platform)
  • Microsoft Office SharePoint (platform)
  • SharePoint (platform)
  • Zimbra (platform)
  • Zimbra Collaboration Suite (platform)
  • Interlock (ransomware_group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed