Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra

Volexity observed TEMP_HERETIC running targeted spear‑phishing campaigns in December 2021 that exploited a zero‑day XSS in Zimbra (affecting 8.8.15 builds) to load attacker JavaScript in authenticated webmail sessions and exfiltrate mailbox contents and attachments; the report includes IOCs (domains, IPs), infrastructure analysis (Freenom domains, BitLaunch hosts), mitigation recommendations, and attribution indicators pointing to a likely Chinese APT.