RUSSIA-LINKED threat actors are alleged to be exploiting a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, to target Ukrainian users, with the campaign leveraging HTML emails to run scripts when opened. The vulnerability resides in the Classic UI and can allow attackers to take over a user’s email account and compromise the entire Zimbra environment, according to Seqrite Labs.
Seqrite Labs tracks the operation as GhostMail, noting that attackers use JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and up to 90 days of mailbox data, exfiltrating data via DNS and HTTPS. A national maritime agency and Ukraine’s State Hydrology Agency were among those targeted, with the phishing email infrastructure first appearing on 20 January 2026; two C2 domains were registered for the campaign.
The report assigns moderate confidence that the operation aligns with Russian state-sponsored intrusion sets, and notes that the US CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, requiring action by 1 April 2026.