Russian APT weaponizes critical Zimbra bug in Ukraine-targeted intrusions

Intrusions exploiting the high-severity stored cross-site scripting flaw in Zimbra Collaboration, tracked as CVE-2025-66376, have been launched against Ukraine by a Russian advanced persistent threat operation suspected to be APT28, also known as Fancy Bear, Sofacy Group, BlueDelta, and STRONTIUM, according to Security Affairs.

Threat actors have targeted Ukraine's State Hydrology Agency with a social engineering campaign involving a phishing email whose HTML included an illicit JavaScript that launched a multi-stage payload, which exfiltrated credentials, two-factor authentication data, emails, and tokens, once opened in a vulnerable Zimbra webmail session, reported Seqrite Labs researchers. Additional findings revealed the campaign to be supported by a pair of command-and-control domains established on Jan. 20.

"While definitive attribution requires further infrastructure or code-overlap confirmation, the techniques used are consistent with previously documented Russian state-sponsored groups exploiting webmail platforms across Eastern Europe," the researchers said.

Such a development comes after CVE-2025-66376 was added by the Cybersecurity and Infrastructure Security Agency to its Known Exploited Vulnerabilities catalog.