Libyan Navy Office of Protocol impersonation campaign targeting the Brazilian military via malicious ICS attachments
Campaign
Summary
Hide ▲
Show ▼
An unknown threat actor impersonating the Libyan Navy's Office of Protocol targeted the Brazilian military in a targeted espionage campaign, using a malicious ICS email attachment to deliver an exploit against Zimbra. The operation mattered because the attachment triggered zero-day exploitation in a collaboration platform rather than a standard phishing lure or server compromise. The delivery chain enabled data theft from user sessions, including credentials and mail content, while helping the actor avoid detection. The activity occurred earlier this year and was tied to CVE-2025-27915.
Cases
Related Happenings
Tax-season credential phishing and RMM malware campaign
Campaign
First: 30.03.2026 18:00
Last: 30.03.2026 18:00
Sources 1
About this happening:
A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
Tax-season credential phishing and RMM malware campaign
CampaignAbout this happening: A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
UnsolicitedBooker Central Asian telecom phishing campaign
Campaign
First: 24.02.2026 11:54
Last: 24.02.2026 11:54
Sources 1
About this happening:
The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UnsolicitedBooker Central Asian telecom phishing campaign
CampaignAbout this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
InedibleOchotense spear phishing campaign impersonating ESET
Campaign
First: 07.11.2025 14:20
Last: 07.11.2025 14:20
Sources 1
About this happening:
The **InedibleOchotense** spear phishing campaign impersonating **ESET** delivered a **trojanized installer** and **Kalambur backdoor**, creating a direct infection risk for targe...
InedibleOchotense spear phishing campaign impersonating ESET
CampaignAbout this happening: The **InedibleOchotense** spear phishing campaign impersonating **ESET** delivered a **trojanized installer** and **Kalambur backdoor**, creating a direct infection risk for targe...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
Campaign
First: 05.11.2025 18:00
Last: 05.11.2025 18:00
Sources 1
About this happening:
**UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
CampaignAbout this happening: **UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
Timeline
-
06.10.2025 23:12 2 articles · 7mo ago
Brazilian military targeted with malicious ICS file exploiting Zimbra CVE-2025-27915
Initial DisclosureAn unknown threat actor masquerading as the Libyan Navy's Office of Protocol targeted the Brazilian military with a malicious ICS email attachment that exploited CVE-2025-27915 in Zimbra Classic Web client, using the payload for credential theft, email and contact exfiltration, folder access, filter-rule manipulation, and MFA bypass support. StrikeReady Labs said the campaign was unusual because it relied on direct exploitation of an open source collaboration tool via an email attachment, and Zimbra later released ZCS 10.1.9 in June as a fix after the zero-day abuse had already occurred.
Show sources
- Cyberattackers Exploit Zimbra Zero-Day Via ICS — www.darkreading.com — 06.10.2025 23:12
- Cyberattackers Exploit Zimbra Zero-Day Via ICS — www.darkreading.com — 06.10.2025 23:12