Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine.Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration. Attackers exploited insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine.The flaw is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML. Attackers could exploit the bug to take over a user’s email account and compromise the entire Zimbra environment.Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM), has exploited the Zimbra vulnerability in attacks against entities in Ukraine. Attackers used JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and 90 days of mailbox data. Then they exfiltrated stoled data via DNS and HTTPS. “A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376 which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content.” reads the report published by Seqrite Labs. “Based on technical overlaps with Zimbra exploitation and geopolitical targeting alignment, we assess with moderate confidence that this campaign aligns with tradecraft previously documented with Russian state-sponsored intrusion sets targeting Ukrainian government entities. This has been reported to CERT-UA.”A national maritime agency was targeted on January 22 using a compromised student email. Seqrite Labs tracked this campaign as Operation GhostMail.A phishing email targeted Ukraine’s State Hydrology Agency, part of critical infrastructure, using a compromised student account to appear legitimate. The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376). Once opened, it executed in the user’s session, stealing credentials, tokens, emails, and 2FA data. The multi-stage payload used SOAP requests, DNS and HTTPS exfiltration, and enabled persistent access, allowing attackers to monitor accounts and extract up to 90 days of emails.The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains:js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]uajs-26tik3egye4[.]i[.]zimbrasoft[.]com[.]uaHistorical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse. Based on targeting and payload similarities to SpyPress.ZIMBRA, Operation GhostMail is attributed to APT28 with medium confidence.“The targeting of a Ukrainian government entity aligns with ongoing geopolitical cyber activity observed against public-sector institutions in the region.” concludes the report. “While definitive attribution requires further infrastructure or code-overlap confirmation, the techniques used are consistent with previously documented Russian state-sponsored groups exploiting webmail platforms across Eastern Europe. “On Wednesday, the US CISA added the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Zimbra)