Cyber Security News

The Invisible Breach: ‘Operation GhostMail’ Uses Zero-Click XSS to Hijack Ukrainian Webmail

CybersecurityNews
The Invisible Breach: ‘Operation GhostMail’ Uses Zero-Click XSS to Hijack Ukrainian Webmail
Seqrite Labs uncovered Operation GhostMail, a zero-click campaign that leverages an HTML-only email to execute obfuscated JavaScript and intercept webmail sessions without dropping files. Attributed to APT28 and exploiting CVE-2025-66376 in Zimbra, the attack exfiltrates credentials, mailbox data, and contacts from the Ukrainian State Hydrology Agency using DNS and HTTPS channels. #OperationGhostMail #APT28 #CVE-2025-66376 #Zimbra #UkrainianStateHydrologyAgency

Keypoints

  • Seqrite Labs detected a zero-click, HTML-only campaign named Operation GhostMail.
  • The attack exploits CVE-2025-66376 in Zimbra via unsafe CSS @import sanitization to execute obfuscated JavaScript.
  • APT28 is attributed with moderate confidence and targeted the Ukrainian State Hydrology Agency.
  • The script harvests session tokens, backup 2FA codes, saved passwords, mailbox contents (90 days), and contact lists.
  • Exfiltration occurs over dual DNS and HTTPS channels while remaining browser-resident to evade endpoint and antivirus detection.

Read More: https://securityonline.info/invisible-breach-operation-ghostmail-zero-click-xss-ukraine/