Russian APT Exploits Zimbra XSS to Target Ukrainian Government

Russian APT Exploits Zimbra XSS to Target Ukrainian Government

First seen 20 Mar 2026, 05:27 UTC Securityaffairs.CoCybersecuritynewsScworldEscudodigital 83% similarity 78.0

Article Content

Browse articles
ThreatCluster

A Russian state-linked advanced persistent threat (APT) has targeted a Ukrainian government agency through a cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite, identified as CVE-2025-66376. The attack, named 'Operation GhostMail,' involves running scripts via HTML emails to extract credentials and sensitive data without traditional indicators of compromise. The vulnerability was published on January 5, 2026, and was added to the CISA Known Exploited Vulnerabilities catalog on March 18, 2026, indicating active exploitation. This campaign highlights the increasing sophistication of state-sponsored cyber operations aimed at Ukraine amidst ongoing geopolitical tensions. The attack's impact is significant, as it compromises sensitive government communications and data security.

Key Points: • Russian APT exploits CVE-2025-66376, a critical XSS vulnerability in Zimbra. • Operation GhostMail targets Ukrainian government agencies via HTML email scripts. • Active exploitation confirmed as of March 18, 2026, by CISA.

ThreatCluster AI

Timeline

2026-01-05
CVE-2025-66376 published
2026-03-18
CVE-2025-66376 added to CISA KEV for active exploitation
2026-03-20
Cyberattack reported targeting Ukrainian government

Community

Browse all →