CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Zimbra Collaboration Suite Zero-Day Exploited via iCalendar Files

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A zero-day vulnerability in Zimbra Collaboration Suite (ZCS) was exploited using iCalendar files to deliver a JavaScript payload. The flaw, CVE-2025-27915, allowed attackers to execute arbitrary JavaScript within the victim's session. The attacks targeted a Brazilian military organization and were active before the patch was released in January 2025. The payload was designed to steal credentials, emails, contacts, and shared folders from Zimbra Webmail. The threat actor spoofed the Libyan Navy’s Office of Protocol to deliver the exploit. The malicious code used various techniques to evade detection and exfiltrate data. The vulnerability was patched by Zimbra in January 2025, but the exploitation activity was not publicly disclosed until October 2025. The script forwards emails to [email protected] and adds malicious Zimbra email filter rules named "Correo". The script hides certain user interface elements and detonates only if more than three days have passed since the last execution. The payload was broken into multiple functions, each serving a distinct purpose such as credential theft, email theft, and user activity monitoring. The payload was designed to exfiltrate data every four hours to an attacker-controlled server. The payload included a function to manipulate email filter rules within Zimbra, redirecting messages to an external Proton Mail account. The payload targeted highly sensitive authentication data, including details of trusted devices and app-specific passwords.

Timeline

  1. 05.10.2025 17:45 3 articles · 8d ago

    Zero-day in Zimbra Collaboration Suite exploited via iCalendar files

    The article provides additional technical details about the zero-day vulnerability in Zimbra Collaboration Suite, including the specific mechanisms used by the malicious iCalendar files to execute JavaScript. It confirms the targeting of a Brazilian military organization and the use of spoofed emails from the Libyan Navy’s Office of Protocol. The article highlights the evasion techniques used by the malicious script and its data exfiltration methods. The article also mentions that the vulnerability was tracked as CVE-2025-27915 with a CVSS score of 5.4, and it provides details on the specific versions of Zimbra that were patched. It also notes that similar tactics have been used by other threat groups, including APT28 and UNC1151. The payload was broken into multiple functions, each serving a distinct purpose such as credential theft, email theft, and user activity monitoring. The payload was designed to exfiltrate data every four hours to an attacker-controlled server. The payload included a function to manipulate email filter rules within Zimbra, redirecting messages to an external Proton Mail account. The payload targeted highly sensitive authentication data, including details of trusted devices and app-specific passwords.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days. Harvard University is investigating a data breach linked to the Clop ransomware gang's exploitation of a zero-day vulnerability in Oracle's E-Business Suite. Clop listed Harvard on its data leak site, claiming the breach was due to a zero-day vulnerability in Oracle's E-Business Suite. Harvard applied a patch from Oracle to remediate the vulnerability and is monitoring for further signs of compromise. The Clop extortion gang has a history of exploiting zero-day vulnerabilities in various platforms, including Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, and MOVEit Transfer. Harvard is the first known organization linked to the Oracle E-Business Suite zero-day attacks, but more are expected to be identified.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

Zero-day in Google Chrome exploited in the wild

Google has patched a zero-day vulnerability (CVE-2025-10585) in the Chrome web browser that has been actively exploited in the wild. The vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine. The exploit details, actors involved, and the scale of exploitation remain undisclosed. The flaw is the sixth zero-day in Chrome that has been actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. Google has released security updates to address the vulnerability.

Open in new tab

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been identified deploying a new backdoor malware named NotDoor through Microsoft Outlook. This malware exploits Outlook to facilitate covert communication, data exfiltration, and malware delivery. The backdoor is triggered by specific words in incoming emails, allowing attackers to execute commands on the victim's computer. NotDoor is distributed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The malware uses PowerShell commands encoded in Base64 to perform various functions, including disabling macro security defenses and enabling macro execution. The backdoor maintains persistent access to the targeted system and can initiate data exfiltration through email attachments or upload malicious files. The malware has been used to target multiple companies from different sectors in NATO member countries. It creates a staging folder at %TEMP%\Temp to store and exfiltrate files, and supports commands for executing commands, exfiltrating files, and uploading files to the victim's computer.

Open in new tab

TA415 (APT41) Abuses Velociraptor Forensic Tool for C2 Tunneling via Visual Studio Code

Unknown threat actors, identified as TA415 (APT41), deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, likely for command-and-control (C2) tunneling. The attack leveraged legitimate software and Windows utilities to minimize malware deployment and maintain a foothold in the target environment. The attackers used Cloudflare Workers domains for staging and additional payloads, and the incident highlights the evolving tactics of threat actors using legitimate tools for malicious purposes. The attack began with the use of the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain. Velociraptor was then used to establish contact with another Cloudflare Workers domain, facilitating the download and execution of Visual Studio Code with tunneling capabilities. This allowed for remote access and code execution, potentially leading to further malicious activities such as ransomware deployment. The phishing campaign targeted US government, think tank, and academic organizations involved in US-China relations, economic policy, and international trade. The attackers impersonated the US-China Business Council and John Moolenaar, Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party. The phishing messages contained links to password-protected archives hosted on cloud services, which included a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script that downloaded the VSCode Command Line Interface (CLI) from Microsoft’s servers, created a scheduled task for persistence, and established a VS Code remote tunnel authenticated via GitHub. The script also collected system information and the contents of various user directories, sending it to the attackers. The script sent a VS Code remote tunnel verification code, allowing the attackers to access the victim’s computer remotely and execute arbitrary commands. The incident underscores the importance of monitoring for unauthorized use of legitimate tools and implementing robust endpoint detection and response systems to mitigate such threats.

Open in new tab