Operation GhostMail: Russian APT exploits Zimbra Webmail to Target Ukraine State Agency

Seqrite Labs documents "Operation GhostMail", a targeted spear-phishing campaign against a Ukrainian government agency that leverages a stored XSS in Zimbra (CVE-2025-66376) to run an obfuscated, browser-resident JavaScript stealer embedded inside an HTML email; the payload harvests session tokens, backup 2FA codes, app-specific credentials, browser-stored passwords and up to 90 days of mailbox archives, exfiltrating data via DNS and HTTPS, and is attributed with moderate confidence to a Russian-linked APT (APT28) with associated IOCs and mitigation guidance.