A sophisticated cyberattack, dubbed “Operation GhostMail,” has targeted a Ukrainian government agency, exploiting a critical vulnerability in the Zimbra Collaboration Suite to pilfer sensitive credentials and email archives. The operation, attributed with medium confidence to a Russian state-linked Advanced Persistent Threat (APT) group, showcases an elusive attack methodology that bypasses traditional security measures. This sophisticated breach highlights the persistent cyber threats faced by critical infrastructure and government bodies amidst ongoing geopolitical tensions.
The campaign, identified by Seqrite researchers, commenced with a phishing email sent on January 22, 2026, to the Ukrainian State Hydrology Agency. The email, written in Ukrainian, deceptively presented itself as an internship inquiry from a student at the National Academy of Internal Affairs. Notably, the attack featured no malicious attachments, suspicious links, or macros, making its detection exceptionally challenging.
Operation GhostMail Exploits Zimbra XSS Flaw
Operation GhostMail leveraged a stored Cross-Site Scripting (XSS) vulnerability, specifically CVE-2025-66376, within the Zimbra Collaboration Suite. This vulnerability, which was patched in November 2025 for ZCS versions 10.0.18 and 10.1.13, involved insufficient sanitization of HTML content, particularly when utilizing CSS @import directives. When a victim opened the compromised email within Zimbra’s Classic UI with an active authenticated session, the malicious JavaScript payload executed silently in their browser.
The perpetrators of Operation GhostMail have been linked to APT28, also known as Fancy Bear. This attribution is based on technical overlaps with prior Zimbra exploitation patterns and the geopolitical significance of the targeted entity. The Ukrainian State Hydrology Agency, responsible for vital national infrastructure, aligns with the observed patterns of Russian state-sponsored cyber operations against public sector institutions during the ongoing conflict.
The initial phishing email contained a large, base64-encoded JavaScript payload concealed within an HTML body element marked with display:none. Upon execution, this payload initiated a two-stage infection mechanism designed to operate entirely within the victim’s browser, leaving no trace on the disk.
Two-Stage Infection Mechanism of Operation GhostMail
The first stage involved a JavaScript loader that prevented duplicate injections by checking for an existing script and then decoded a base64 payload using the atob() function. Further decryption occurred using an XOR key, “twichcba5e,” to unpack the final JavaScript payload. This unpacked script was then injected into the top-level document, circumventing the webmail’s iframe sandbox and granting the attacker full access to the browser’s cookies, localStorage, and same-origin SOAP API rights.
In the second stage, the full browser stealer began its operation. It generated a unique 12-character alphanumeric token for each victim, which served as the identifier in all command-and-control (C2) communications. The hardcoded C2 domain identified, zimbrasoft[.]com[.]ua, was registered only two days prior to the phishing email’s distribution. This stage initiated nine parallel data-collection operations, maximizing the amount of stolen data from a single browser session.
The collected data included email content, server configurations, Cross-Site Request Forgery (CSRF) tokens, mobile device profiles, OAuth application access tokens, backup two-factor authentication codes, and browser-autofilled credentials. Crucially, the attack also silently enabled IMAP access on the victim’s account and created a persistent app-specific password named “ZimbraWeb.” This allowed the attackers to maintain long-term access to the mailbox, even if the user subsequently reset their primary password.
The exfiltration of data occurred over both HTTPS and DNS channels, making it exceptionally difficult to detect through conventional network filtering methods. The complete absence of traditional attack indicators underscores the evolving sophistication of state-sponsored cyber operations.
To mitigate the risks associated with this attack vector, organizations utilizing Zimbra are strongly advised to upgrade their installations to at least version 10.1.x immediately. Administrators should conduct thorough audits of all accounts for app-specific passwords named “ZimbraWeb” and revoke them without delay. The implementation of SOAP API monitoring is also recommended, as calls to GetScratchCodesRequest and CreateAppSpecificPasswordRequest are unusual in normal usage and warrant immediate investigation.
Furthermore, DNS filtering should be enforced against identified Indicator of Compromise (IOC) domains. Disabling IMAP or POP3 access for accounts lacking a clear business necessity can also reduce the attack surface. Beyond technical measures, user education remains paramount, emphasizing that seemingly innocuous emails without attachments or external links can still carry potent malicious payloads embedded within their HTML structure. The ongoing threat landscape necessitates constant vigilance and proactive defense strategies.