Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities

Campaign
First reported
Last updated
Happening score
H score 53
1 unique sources, 1 articles

Summary

Hide ▲

APT28’s Operation GhostMail is actively targeting Ukrainian government entities through a phishing chain that exploits CVE-2025-66376 in Zimbra Collaboration Suite, creating immediate risk to email accounts and credentials. The message delivers an obfuscated JavaScript payload in the HTML body of a single email, avoiding attachments and macros. The payload can harvest session tokens, backup 2FA codes, browser-saved passwords, and mailbox content from the last 90 days. The activity matters because the vulnerability is already treated as exploited in the wild, and one named target is the Ukrainian State Hydrology Agency, a critical infrastructure entity.

Cases

APT28 GhostMail abuse of Zimbra Classic UI flaw (3)

Related Happenings

Synacor Zimbra CVE-2025-48700 security patch release

Security Patch Release
First: 24.04.2026 16:35 Last: 24.04.2026 16:35 Sources 1

About this happening: Synacor released **security patches** for **CVE-2025-48700**, fixing an **XSS flaw** in **Zimbra Classic UI** that could be triggered by a **malicious email** and expose **sensiti...

Open Happening

Zimbra Collaboration Suite actively exploited XSS flaw (CVE-2025-48700)

Vulnerability
First: 24.04.2026 16:35 Last: 24.04.2026 16:35 Sources 1

About this happening: **CVE-2025-48700** is an **actively exploited XSS flaw** in **Zimbra Collaboration Suite (ZCS)** that can let unauthenticated attackers run JavaScript inside a user's session and...

Open Happening

CISA patch guidance for Zimbra and SharePoint flaws

Advisory/Mitigation
First: 19.03.2026 08:05 Last: 19.03.2026 08:05 Sources 1

About this happening: **CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...

Open Happening

Zimbra Collaboration Suite (ZCS) stored XSS flaw (CVE-2025-66376)

Vulnerability
First: 18.03.2026 21:57 Last: 18.03.2026 21:57 Sources 1

How related: This high-severity security flaw (tracked as CVE-2025-66376 and patched in early November) stems from a stored cross-site scripting (XSS) that unauthenticated attackers can exploit to gain remote code execution (RCE) and compromise the Zimbra server and the target's email account.

About this happening: **CVE-2025-66376** affects **Zimbra Collaboration Suite (ZCS)**, where a stored **XSS flaw** in the **Classic UI** is **actively exploited** and can put exposed mail servers and u...

Open Happening

CISA BOD 22-01 Zimbra patch order

Public Sector Action
First: 18.03.2026 21:57 Last: 18.03.2026 21:57 Sources 1

How related: On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of vulnerabilities exploited in the wild. CISA also ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers within two weeks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

About this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...

Open Happening

Timeline

  1. 19.03.2026 16:55 1 articles · 2mo ago

    CISA adds CVE-2025-66376 to exploited-in-the-wild catalog

    Legal Policy Action Update

    CISA added CVE-2025-66376, a stored XSS flaw in Zimbra Collaboration Suite (ZCS), to its catalog of vulnerabilities exploited in the wild and ordered Federal Civilian Executive Branch agencies to secure affected servers within two weeks under BOD 22-01.

    Show sources
    Open in new tab
  2. 19.03.2026 16:55 2 articles · 2mo ago

    APT28 Operation GhostMail targets Ukrainian government entities

    Initial Disclosure

    APT28, a Russia-linked GRU threat group, is exploiting CVE-2025-66376 in Zimbra Collaboration Suite (ZCS) against Ukrainian government entities through a phishing campaign called Operation GhostMail. The messages deliver an obfuscated JavaScript payload in the HTML body of a single email, and one named target is the Ukrainian State Hydrology Agency.

    Show sources
    Open in new tab