{ "Event": { "analysis": "1", "date": "2026-03-17", "extends_uuid": "", "info": "[Threat Intel] Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government", "protected": false, "publish_timestamp": "1774245789", "published": true, "threat_level_id": "1", "timestamp": "1774245788", "uuid": "0c1adb0a-80be-4973-b779-c815a402a91f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#57356b", "local": false, "name": "misp-galaxy:producer=\"Seqrite\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#aff0ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"", "relationship_type": "" }, { "colour": "#110e53", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#0ec9f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Peripheral Device Discovery - T1120\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#5c59c9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Accounts - T1586.002\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#f6f176", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Account - T1087.003\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#7ffc24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Additional Cloud Credentials - T1098.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#23cf0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Email Collection - T1114.002\"", "relationship_type": "" }, { "colour": "#0aebeb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"", "relationship_type": "" }, { "colour": "#a42e64", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Multi-Factor Authentication Interception - T1111\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"russia\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773802810", "to_ids": false, "type": "link", "uuid": "12465b58-1d5c-4992-aa66-14d44a4b1d18", "value": "https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773802810", "to_ids": false, "type": "text", "uuid": "7674d4af-b408-437a-bd6a-535d31ddd7f6", "value": "A sophisticated phishing campaign targeting a Ukrainian government agency exploits a cross-site scripting vulnerability in Zimbra Collaboration Suite. The attack, attributed to a Russian APT group, uses a seemingly innocuous internship inquiry email to deliver a malicious JavaScript payload. When opened in a vulnerable Zimbra webmail session, the script silently executes, harvesting credentials, session tokens, 2FA codes, and mailbox contents. The multi-stage attack employs obfuscation techniques, SOAP API abuse, and dual-channel exfiltration via DNS and HTTPS. The campaign demonstrates the evolution of webmail-focused intrusions, relying on browser-resident stealers rather than traditional malware binaries." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773802810", "to_ids": false, "type": "text", "uuid": "6449aba0-b593-4ea7-8d30-c2cbb4f0ffaa", "value": "Name: Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government\nAuthor: AlienVault\nAdversary: APT28\nTags: [\"zimbra\", \"phishing\", \"russia\", \"webmail\", \"cve-2025-66376\", \"exfiltration\", \"browser-stealer\", \"soap api\", \"government\", \"spypress.zimbra\", \"xss\", \"ukraine\"]\nTgtd countries: [\"Ukraine\"]\nMlwr families: [\"SpyPress.ZIMBRA\"]\nAttack_ids: [\"T1059.007\", \"T1539\", \"T1069\", \"T1071.004\", \"T1566.001\", \"T1120\", \"T1082\", \"T1586.002\", \"T1583.001\", \"T1087.003\", \"T1185\", \"T1555.003\", \"T1528\", \"T1098.001\", \"T1041\", \"T1027\", \"T1114.002\", \"T1203\", \"T1213\", \"T1111\", \"T1564.001\"]\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773802810", "to_ids": false, "type": "threat-actor", "uuid": "23fee614-52d2-4a79-99d6-45ce1da820a4", "value": "APT28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773802810", "to_ids": false, "type": "vulnerability", "uuid": "57dd47da-fb50-4fdc-b575-94a8d2c11e7c", "value": "CVE-2025-66376" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774235905", "to_ids": true, "type": "domain", "uuid": "2fa38ff1-23d4-4ff7-b860-f37012439494", "value": "zimbrasoft.com.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774235927", "to_ids": true, "type": "hostname", "uuid": "420d91b5-1ba7-42f9-b817-c170df449052", "value": "i.zimbrasoft.com.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774235950", "to_ids": true, "type": "hostname", "uuid": "27a52bdd-3713-4058-b4f1-27515103b45c", "value": "js-26tik3egye4.i.zimbrasoft.com.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774235972", "to_ids": true, "type": "hostname", "uuid": "8379af33-0687-4ffa-80ea-f8c54c895778", "value": "js-l1wt597cimk.i.zimbrasoft.com.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774235993", "to_ids": true, "type": "hostname", "uuid": "e5cf63f0-bf84-40f8-a454-14467937763f", "value": "zimbrasoft.com.ua", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774236015", "uuid": "29faa751-a856-4c3e-addb-9043000a5f9d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774236015", "to_ids": true, "type": "md5", "uuid": "eb363e3f-a2e3-4782-891c-b32dcc6beca9", "value": "c010f64080b0b0997b362a8e6b9c618e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774234968", "to_ids": true, "type": "sha1", "uuid": "23e38bc4-a1b6-442d-bc88-dea976aa245e", "value": "e3ce7d13a83716594787a12edf6cbeedc76b9a65", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774234968", "to_ids": true, "type": "sha256", "uuid": "a01fbca7-8fbe-41ce-894a-f6ffe5d0c250", "value": "98df604ecc57f884a2e6ce3266a0013ad64455cac48442c2312cfa4765007aaf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774232279", "to_ids": true, "type": "ssdeep", "uuid": "340d3a3e-1b97-4e73-a178-f4eb93026f04", "value": "384:XZb7Gmo4BsvAr6Ygkx8lPr7VQVdPVpfMmBhLunvXkS90vmAR0ytNH:J+moi9KkeTRQLDNekS90OAa2NH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774232279", "to_ids": false, "type": "size-in-bytes", "uuid": "224147ff-2421-4df3-ae2d-e5c791e60bb6", "value": "22731" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774232279", "to_ids": true, "type": "filename", "uuid": "40c027b2-0e38-449c-b75f-cdc2cf19ac04", "value": "belinskyi.v@hydro.gov.ua_22.01.2026.txt" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 23/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774232279", "to_ids": false, "type": "text", "uuid": "a1567ad4-89ee-4775-b394-af64c2c93f15", "value": "Type Description: Email\nMicrosoft: None\nVT Total Detection:2/63\nFirst Submission:2026-02-26T06:42:55.000000+00:00\nLast Submission:2026-02-26T06:42:55.000000+00:00" } ] } ] } }