Operation GhostMail: Inside the Stealthy XSS Attack on Ukraine’s Zimbra Mail

A new, highly sophisticated phishing campaign has emerged, revealing just how far attackers are willing to go to remain invisible while stealing sensitive data. Dubbed “Operation GhostMail”, this attack targeted the Ukrainian State Hydrology Agency, exploiting a vulnerability in the Zimbra Collaboration Suite (ZCS). Unlike typical phishing attempts that rely on malicious attachments or suspicious links, this operation works entirely within the email body, making it almost invisible to traditional security defenses.

The campaign has been attributed with medium confidence to the Russian state-sponsored threat group APT28. Its stealth and precision indicate a high level of technical skill, emphasizing the evolving dangers of browser-based attacks that bypass standard detection mechanisms.

Vulnerability and Attack Vector

The attack began with a seemingly benign phishing email, disguised as a standard internship inquiry. Sent on January 22, 2026, it originated from a compromised student account at the National Academy of Internal Affairs (NAVS).

When the victim opened the email in Zimbra Classic UI, a hidden JavaScript payload executed silently, exploiting CVE-2025-66376, a stored XSS vulnerability patched in November 2025. The flaw stemmed from improper sanitization of CSS @import directives.

To bypass Zimbra’s AntiSamy security filter, attackers injected “noise” into HTML tag names. This allowed the malicious code to evade regex-based inspections while remaining valid to the browser. Once reconstructed, a Base64-encoded loader executed, decoding the final payload, injecting it into the top-level document, and escaping the webmail sandbox. This gave attackers full access to the user’s session context and cookies.

Stealthy Data Exfiltration

With the payload active in memory, the malware leveraged Zimbra’s legitimate SOAP API for unauthorized actions. By extracting the CSRF token from local storage, requests appeared as normal user activity.

The malware executed nine simultaneous operations, capturing login credentials, session tokens, backup 2FA recovery codes, and browser-saved passwords. It also created an app-specific password and enabled IMAP access to maintain long-term persistence.

Most alarmingly, the attackers exfiltrated the victim’s entire mailbox, using Zimbra’s native export feature to download up to 90 days of emails. Stolen data was sent to the C2 domain zimbrasoft[.]com[.]ua, using a dual-channel exfiltration method: large files over HTTPS and smaller segments via Base32-encoded DNS queries to evade network filters.

What Undercode Say:

Operation GhostMail is a textbook example of how phishing campaigns are evolving beyond attachments and malicious links. By embedding the payload entirely in the email body, attackers exploit the trust users place in their webmail interface. This method not only bypasses conventional antivirus and email security solutions but also leverages legitimate platform features to appear benign.

The XSS exploitation highlights the critical need for timely patching and thorough testing of web applications. Even though CVE-2025-66376 was patched in November 2025, organizations that delayed updates became highly vulnerable.

APT28’s use of fragmented HTML tags and Base64 loaders demonstrates advanced evasion techniques. By reconstructing code only in the victim’s browser, the attack remains invisible in transit, leaving few traces in email logs or network monitoring.

From a defensive perspective, this attack underscores the importance of browser-level monitoring and behavioral analytics, rather than relying solely on signature-based detection. Security teams must also educate users about the subtle signs of phishing emails, as attackers increasingly mimic legitimate internal communications.

The dual-channel exfiltration strategy—using HTTPS and DNS—illustrates how attackers adapt to network-level defenses. DNS-based exfiltration, in particular, is hard to detect because it blends with normal network traffic, showing how sophisticated APT groups operate.

Organizations using Zimbra or similar webmail solutions should audit session management, enforce 2FA rigorously, and monitor for anomalous API calls. Additionally, removing legacy interfaces like Zimbra Classic UI or restricting unpatched clients can drastically reduce the attack surface.

This campaign also raises geopolitical concerns. Targeting Ukrainian agencies in 2026 fits the broader pattern of state-sponsored cyber operations designed to extract intelligence quietly. The campaign’s precision, combined with stealthy data exfiltration, suggests long-term surveillance rather than immediate disruption.

Fact Checker Results:

✅ The attack targeted the Ukrainian State Hydrology Agency and exploited a Zimbra XSS vulnerability.
✅ Attribution to APT28 is medium confidence, consistent with prior state-sponsored campaigns.
✅ Exfiltration methods using HTTPS and DNS are accurately described and align with known stealth techniques.

Prediction:

⚠️ Expect similar XSS-based phishing campaigns to increase, targeting high-value organizations with browser-specific payloads.
⚠️ Legacy email interfaces and unpatched web applications will remain the most vulnerable points.
⚠️ Security defenses will shift towards real-time browser monitoring and anomaly detection, as attackers continue to exploit trusted interfaces for stealthy operations.

If you want, I can also create a visual attack flow diagram showing how Operation GhostMail executes from email opening to data exfiltration. This would make the technical steps instantly clear. Do you want me to do that?