Executive Summary
Operation GhostMail is a high-stakes cyber-espionage campaign attributed to the Russian threat actor APT28 (Fancy Bear). By exploiting a critical stored Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration software, the group has successfully targeted Ukrainian government agencies and critical infrastructure.
The campaign marks a significant escalation in APT28’s technical tactics. Unlike traditional phishing that relies on tricking a user into clicking a link or downloading a file, this operation utilizes a “zero-click” trigger mechanism. By embedding obfuscated JavaScript directly into the HTML body of an email, the exploit (CVE-2025-66376) is triggered the moment a victim simply views the message within their Zimbra webmail client.
The goal of this operation is a simple but devastating bypass of authentication to steal sensitive communications and maintain a long-term “ghost” presence within compromised mail servers.
Vulnerability & Affected Products
The campaign centers on CVE-2025-66376, a flaw that allows attackers to bypass security sanitization and execute malicious code directly within a user’s browser session.
| Feature | Details |
| CVE ID | CVE-2025-66376 |
| Vulnerability Type | Stored Cross-Site Scripting (XSS) |
| CVSS Score | 7.2 (High) |
| EPSS Score | 28.82% |
| Affected Products | Zimbra Collaboration 10.0.x and 10.1.x |
| Fixed Versions | 10.1.13 and 10.0.18 |
| Exploit Trigger | Zero-Click: User simply opens the email (no link click required) |
Attack Methodology: The “Zero-Click” Execution
Unlike traditional phishing that requires a user to click a suspicious link or download a file, Operation GhostMail relies on the automatic execution of JavaScript when an email is viewed.
- Initial Contact: Phishing emails are sent from compromised academic (.edu) or student accounts to appear legitimate.
- Exploitation: The email body contains heavily obfuscated JavaScript. Once the Zimbra webmail interface renders the email, the script triggers CVE-2025-66376.
- Data Theft: The script instantly targets the ZMBAuthToken (session token), CSRF tokens, and 2FA codes.
- Exfiltration: Data is funneled out via a dual-channel method using HTTPS (for bulk data) and DNS (for stealthy communication).
MITRE ATT&CK: Tactics and Techniques
| ID | Tactic | Technique | Description |
| TA0001 | Initial Access | T1190 – Exploit Public-Facing Application | Leveraging the Zimbra XSS flaw (CVE-2025-66376). |
| TA0002 | Execution | T1059.007 – JavaScript | Executing malicious scripts within the victim’s active session. |
| TA0003 | Persistence | T1098 – Account Manipulation | Stealing session tokens to maintain access without needing a password. |
| TA0006 | Credential Access | T1555 – Credentials from Password Stores | Extracting cookies and tokens directly from the browser memory. |
| TA0010 | Exfiltration | T1041 – Exfiltration Over C2 Channel | Moving data to attacker-controlled infrastructure using DNS/HTTPS. |
Indicators of Compromise (IOCs)
The following infrastructure has been identified by CERT-UA as being used for data exfiltration and C2 operations during this campaign:
| Type | Indicator |
| Domain | js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua |
| Domain | js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua |
Visual Attack Flow
[Delivery of Phishing Email via Compromised .edu Accounts]
-> [Exploitation of Zimbra Stored XSS (CVE-2025-66376)]
-> [Automatic Execution of Obfuscated JavaScript in Victim’s Session]
-> [Theft of ZMBAuthToken, CSRF Tokens, and 2FA Codes]
-> [Unauthorized Access to User Mailbox and Webmail Sessions]
-> [Establishment of Persistent Access via Stolen Session Tokens]
-> [Dual-Channel Data Exfiltration via HTTPS and DNS]
-> [Long-term Mailbox Monitoring and Intelligence Gathering]
Key Takeaways & Mitigation
The sophistication of Operation GhostMail lies in its ability to compromise accounts silently. Once the session token (ZMBAuthToken) is stolen, attackers can bypass 2FA entirely and monitor mailboxes for up to 90 days.
- Priority 1: Patch Zimbra. Organizations must upgrade to Zimbra 10.1.13 or 10.0.18 immediately to close the XSS loophole.
- Monitor for Anomalies: Look for unusual DNS queries or outbound traffic to the IPs listed above.
- Audit Webmail Logs: Check for unauthorized access via session tokens from unexpected geographical locations.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.