Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportOperation GhostMail represents a sophisticated cyber espionage campaign targeting Ukrainian government entities through a novel fileless attack methodology. The Operation GhostMail campaign exploits CVE-2025-66376, a stored cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite, transforming routine emails into weaponized intrusion vectors requiring no malicious links or attachments. First observed on January 22, 2026, Operation GhostMail specifically targeted the Ukrainian State Hydrology Agency, demonstrating advanced threat actor capabilities in executing browser-based espionage operations.
The Operation GhostMail attack chain begins with carefully crafted spear-phishing emails disguised as legitimate internship inquiries, sent from compromised Ukrainian academic accounts to build credibility and lower victim suspicion. Operation GhostMail leverages a Zimbra webmail vulnerability to execute hidden JavaScript payloads directly within victims’ authenticated browser sessions, completely bypassing traditional disk-based malware detection mechanisms. The Operation GhostMail campaign harvests extensive sensitive data including email credentials, 2FA recovery codes, complete email archives spanning 90 days, and session tokens, all while maintaining operational stealth by mimicking legitimate SOAP API requests. Security researchers attribute Operation GhostMail to APT28 with medium confidence, highlighting a significant evolution in state-sponsored cyber espionage tradecraft toward fileless, browser-native intrusion techniques.
Operation GhostMail commenced on January 22, 2026, with attackers launching a highly targeted spear-phishing campaign against Ukrainian government infrastructure. The Operation GhostMail threat actors sent a meticulously crafted email from a compromised student account at Ukraine’s National Academy of Internal Affairs, written in fluent Ukrainian to maximize authenticity and victim trust. The Operation GhostMail phishing message masqueraded as a polite internship inquiry from a fourth-year student, complete with apologetic tone and culturally appropriate language patterns designed to build credibility with the target. The Operation GhostMail victim, an employee at the Ukrainian State Hydrology Agency within Ukraine’s critical infrastructure sector, received an email conspicuously lacking traditional phishing indicators—no malicious attachments, no suspicious external links, and no obvious red flags that would trigger security awareness training protocols.
Rather than deploying traditional malware payloads, Operation GhostMail attackers embedded their exploitation code directly within the HTML body of the phishing email itself. The Operation GhostMail payload resided inside a hidden div element, exploiting CVE-2025-66376, a stored cross-site scripting vulnerability in Zimbra Classic UI caused by improper sanitization of CSS @import directives. When the Operation GhostMail victim opened the email within an authenticated Zimbra webmail session, the exploit triggered silently and automatically, requiring zero user interaction beyond simply viewing the message. The Operation GhostMail exploitation technique bypassed Zimbra’s AntiSamy sanitizer through sophisticated fragmented token injection, reconstructing executable SVG elements that allowed JavaScript code execution within the trusted browser context. This Operation GhostMail browser-based exploitation approach effectively inherited the victim’s session cookies, local storage data, and full API access permissions without creating any malicious files on disk.
The initial Operation GhostMail JavaScript payload functioned as a stealthy loader with built-in execution controls, ensuring it ran only once before decoding a Base64-encoded second-stage payload. Operation GhostMail employed XOR decryption using the key “twichcba5e” to deploy a comprehensive browser-based information stealer directly into the top-level document object model. This Operation GhostMail stealer bypassed iframe security restrictions to gain complete visibility into the authenticated webmail session, executing multiple parallel data harvesting tasks simultaneously. Operation GhostMail systematically extracted sensitive information including user identities, Zimbra server configurations, backup 2FA recovery codes, and session authentication tokens. Most critically, Operation GhostMail created a persistent app-specific password labeled “ZimbraWeb,” granting attackers long-term unauthorized access that would survive standard password reset procedures and remain invisible to routine security audits.
Beyond immediate credential theft, Operation GhostMail attackers established multiple persistence mechanisms to ensure continued access to compromised accounts. The Operation GhostMail campaign enumerated connected mobile devices associated with the victim’s email account, providing attackers with detailed knowledge of the target’s device ecosystem. Operation GhostMail systematically listed all authorized OAuth applications connected to the victim’s account, identifying potential lateral movement opportunities through integrated third-party services. The Operation GhostMail payload enabled IMAP protocol access on the compromised account, facilitating ongoing automated data collection through standard email protocols that blend seamlessly with legitimate traffic. All Operation GhostMail malicious activities leveraged legitimate Zimbra SOAP API requests authenticated with stolen CSRF tokens, making malicious traffic virtually indistinguishable from normal webmail user behavior and significantly complicating detection efforts.
Operation GhostMail data exfiltration demonstrated exceptional sophistication through a resilient dual-channel communication strategy. Smaller Operation GhostMail data chunks were encoded directly into DNS query strings, providing a covert low-bandwidth channel for critical configuration data and command-and-control communications. Larger Operation GhostMail datasets transmitted over encrypted HTTPS channels to attacker-controlled infrastructure, balancing stealth with bandwidth efficiency. The most impactful Operation GhostMail activity involved systematically downloading a complete 90-day archive of the victim’s emails using Zimbra’s native export functionality, packaging each day’s communications into compressed archive files for incremental exfiltration. Operation GhostMail implemented progress tracking via browser localStorage, ensuring the data theft operation could resume seamlessly if interrupted by network disruptions or browser closures. The Operation GhostMail command-and-control infrastructure was registered just days before the attack, and the campaign’s tactics, techniques, and procedures align with known APT28 tradecraft, leading security researchers to attribute Operation GhostMail to this Russian state-sponsored threat group with medium confidence.
CVE-2025-66376: Synacor Zimbra Collaboration Suite Cross-Site Scripting Vulnerability
CVE-2025-66376 represents a critical stored cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite’s Classic UI interface. This CVE-2025-66376 vulnerability stems from improper sanitization of CSS @import directives within the Zimbra email rendering engine, allowing attackers to bypass the AntiSamy HTML sanitizer through fragmented token injection techniques. Exploitation of CVE-2025-66376 enables threat actors to reconstruct executable SVG elements containing malicious JavaScript code that executes within victims’ authenticated browser sessions. The CVE-2025-66376 vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog, indicating active exploitation in real-world attack campaigns. Patches for CVE-2025-66376 are available in Zimbra Collaboration Suite versions 10.1.13 and 10.0.18, though organizations running end-of-life version 8.8.15 remain vulnerable and should migrate immediately to supported releases.
Upgrade all Zimbra Collaboration Suite instances to version 10.1.13 or 10.0.18 minimum to remediate CVE-2025-66376 and protect against Operation GhostMail-style attacks. Organizations still running Zimbra 8.8.15 should migrate immediately to a supported release or consider alternative email platforms, as this end-of-life version lacks critical security patches and receives no vendor support.
Zimbra version 10.0 reached End of Life on December 31, 2025, meaning the 10.0 branch no longer receives ongoing security updates despite the CVE-2025-66376 patch in version 10.0.18. Organizations should accelerate migration to the Zimbra 10.1 series to maintain access to future security patches and vendor support for emerging threats.
Review all Zimbra user accounts for app-specific passwords named “ZimbraWeb” or any passwords created during timeframes corresponding to suspicious email activity indicative of Operation GhostMail compromise. Revoke all unauthorized app-specific passwords immediately, as these credentials survive standard password resets and provide persistent unauthorized access to email accounts.
Check Zimbra account settings for unexpected zimbraPrefImapEnabled: TRUE configuration changes, particularly on accounts lacking legitimate business requirements for IMAP protocol access. Disable unused mail protocols including IMAP and POP3 at the administrative level to eliminate Operation GhostMail-style persistence vectors and reduce the attack surface.
Implement enhanced email filtering solutions capable of inspecting HTML email bodies for obfuscated JavaScript payloads, particularly those leveraging Base64-encoded scripts within hidden div elements and CSS @import-based sanitizer bypasses characteristic of Operation GhostMail. Standard attachment and link scanning alone proves insufficient against fileless browser-based attack vectors that embed malicious code directly within email content.
MD5 Hash:
Malicious Domains:
Patch Information: https://wiki.zimbra.com/wiki/Zimbra_Releases
Resource Development: T1583.001 – Domains, T1586.002 – Email Accounts
Initial Access: T1566.001 – Spearphishing Attachment
Execution: T1059.007 – JavaScript, T1203 – Exploitation for Client Execution
Persistence: T1098.001 – Additional Cloud Credentials
Credential Access: T1528 – Steal Application Access Token, T1539 – Steal Web Session Cookie, T1111 – Multi-Factor Authentication Interception, T1555.003 – Credentials from Web Browsers
Discovery: T1082 – System Information Discovery, T1087.003 – Email Account, T1069 – Permission Groups Discovery, T1120 – Peripheral Device Discovery
Collection: T1114.002 – Remote Email Collection, T1185 – Browser Session Hijacking, T1213 – Data from Information Repositories
Exfiltration: T1041 – Exfiltration Over C2 Channel, T1071.004 – DNS
https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/
Get through updates and upcoming events, and more directly in your inbox