APT28 Exploits Zimbra Vulnerability in Ongoing Attacks Against Ukraine
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Russian state-backed hackers from APT28 are actively exploiting a high-severity stored cross-site scripting vulnerability (CVE-2025-66376) in the Zimbra Collaboration Suite (ZCS) to target Ukrainian government entities. The flaw allows unauthenticated attackers to execute remote code and harvest sensitive information from compromised email accounts. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated that U.S. federal agencies secure their servers by April 1, 2026. The attacks involve phishing emails containing obfuscated JavaScript payloads that exploit the vulnerability when opened in a vulnerable Zimbra session. This campaign, named Operation GhostMail, has already targeted critical infrastructure, including the Ukrainian State Hydrology Agency. Security researchers have noted that Zimbra vulnerabilities have been frequently exploited in recent years, with multiple incidents reported involving state-sponsored actors. Organizations using Zimbra are urged to apply the available patches immediately to mitigate risks.
Key Points: • APT28 is exploiting CVE-2025-66376 in attacks against Ukrainian government entities. • CISA has mandated U.S. federal agencies to secure Zimbra servers by April 1, 2026. • Phishing emails with obfuscated JavaScript payloads are the primary attack vector.