Operation GhostMail: APT28’s Sophisticated Zero-Click Cyber-Espionage Campaign
TL;DR
APT28, associated with Russian cyber-espionage, has launched Operation GhostMail, exploiting a high-risk stored Cross-Site Scripting vulnerability in Zimbra Collaboration to target Ukrainian entities. This operation employs a zero-click method that allows attackers to execute malicious scripts upon viewing emails, enabling data theft and persistent access to compromised systems.
Main Analysis
APT28, commonly known as Fancy Bear, is behind Operation GhostMail, which targets Ukrainian government bodies and infrastructure. The operation exploits a severe vulnerability (CVE-2025-66376) in Zimbra Collaboration software, utilizing a stored Cross-Site Scripting flaw. This advanced tactic differs from traditional phishing methods by enabling an automatic execution of embedded malicious JavaScript as soon as a victim views the email without any user interaction required.
The attack mechanism begins with phishing emails sent from compromised academic accounts, designed to appear legitimate. Within these emails, heavily obfuscated JavaScript exploits the XSS vulnerability once the email is opened. Attackers are able to extract sensitive session tokens and two-factor authentication codes, facilitating unauthorized access and long-term monitoring of the victim’s email sessions. Data is exfiltrated using a dual-channel approach, employing both HTTPS for bulk data and DNS for stealthy communications. A visual representation of this attack flow clarifies the sequential steps from phishing email delivery to data exfiltration.
Defensive Context
This campaign significantly impacts organizations utilizing vulnerable versions of Zimbra Collaboration (10.0.x and 10.1.x), particularly those with ties to government and critical infrastructure sectors. The zero-click exploit highlights the necessity for continuous monitoring of email systems, as attackers can bypass conventional security measures, including two-factor authentication, through session token theft.
Why This Matters
The threat landscape for organizations employing Zimbra software has escalated due to the sophistication of this campaign. Agencies managing sensitive information or integral systems must prioritize awareness of this attack vector. Failure to secure these vulnerabilities could lead to catastrophic data breaches and compromised communications.
Indicators of Compromise (IOCs)
The following domains are identified as part of the exfiltration and command-and-control infrastructure used in Operation GhostMail:
- js-l1wt597cimk.i.zimbrasoft.com.ua
- js-26tik3egye4.i.zimbrasoft.com.ua
