Ghost in the Inbox: How the “GhostMail” Attack Weaponized Zimbra’s Own API to Siphon Critical State Secrets

Phishing bombardments directed at webmail architectures are customarily orchestrated along a deeply familiar trajectory: a pernicious attachment, a venomous hyperlink, a compromised macro, or a subterranean downloader. However, within a nascent campaign leveled against a sovereign Ukrainian state institution, the malefactors completely eschewed this orthodox arsenal. The malicious architecture was seamlessly entombed directly within the HTML corpus of the email itself; its execution commenced the exact moment the unwary quarry merely opened the missive within a vulnerable iteration of Zimbra.

This kinetic strike was unearthed by the vanguard at Seqrite Labs. The recipient of this fateful epistle was an operative stationed within the State Hydrographic Service, an entity entrusted with the navigational, maritime, and hydrographic stewardship of shipping conduits, categorically recognized as critical national infrastructure.

The lure possessed a chillingly mundane veneer, which exponentially magnified its peril. The missive, inscribed in the Ukrainian vernacular, was masterfully disguised as a benign inquiry regarding a potential internship. The sender masqueraded as a fourth-year scholar hailing from the National Academy of Internal Affairs, graciously inquiring if the addressee possessed any pertinent professional contacts or vacant postings. The correspondence concluded with a courteous apology should the inquiry have been directed to an erroneous recipient. Such a stratagem has long been a staple of the phishing playbook: a disarmingly innocuous tone effectively neutralizes suspicion, compelling the target to perceive the missive as orthodox professional correspondence.

Upon initial scrutiny, the missive betrayed no overt harbingers of malice. Forensic investigators unearthed no venomous attachments, no external hyperlinks, nor any office documents harboring compromised macros. The entirety of the attack chain was ingeniously nestled within the HTML markup of a solitary message. The venomous code was secreted within an obfuscated div block, veiled by the display:none styling directive, manifesting as a colossal fragment of Base64-encoded JavaScript. Furthermore, the assailants circumvented filtration mechanisms by weaponizing a structural anomaly utilizing the CSS @import directive, seamlessly embedded within tag and attribute nomenclatures. To pedestrian security sentinels, this fragment merely appeared as fractured, innocuous markup; however, the browser ultimately synthesized it into a lethal, executable script.

Architecturally, the strike was predicated upon an XSS vulnerability festering within the Zimbra Collaboration Suite. This critical flaw stems from the inadequate sanitization of HTML content, particularly when parsing exquisitely crafted constructs harboring @import directives and auxiliary script-injection vectors. Whilst this chasm had already been sealed within ZCS iterations 10.0.18 and 10.1.13 as early as November 2025, the attack starkly illuminated that not all deployments had been fortified with requisite alacrity. A paramount detail: successful detonation strictly necessitated the quarry opening the missive specifically within the orthodox Zimbra web interface, wherein the venomous markup was executed under the aegis of the active, authenticated session.

Upon the unfurling of the missive, the script ignited within the browser’s sanctum, operating almost entirely imperceptibly to the user. The inaugural stage constituted a JavaScript loader. This vanguard verified whether the venomous module had already entrenched itself within the page’s architecture; it subsequently deciphered the payload via atob(), executed an XOR operation utilizing the cryptographic key twichcba5e, and ultimately injected the culminating code into the page’s paramount document. This profound maneuver bequeathed the malicious module unmitigated ingress to cookies, localStorage, and the identical origin privileges enjoyed by the webmail architecture itself. In essence, the script usurped near-absolute equivalence to the capabilities of the victim’s authenticated Zimbra session.

The subsequent stage operated as a fully fledged, unadulterated browser infostealer. The code executed directly within the volatile memory of the browser, voraciously harvesting credential telemetry, session SOAP tokens, backup dual-factor authentication keys, the entire contents of the mailbox, attachments, cookies, and an array of auxiliary sensitive intelligence. A bespoke, 12-character identifier was forged for each individual victim, serving as the cryptographic hallmark for every interrogation directed toward the command-and-control sovereign. Forensic researchers pinpointed the domain zimbrasoft[.]com[.]ua as the orchestrating nexus. Should any echelon of the operation encounter a catastrophic error, the malicious code instantaneously transmitted a dispatch to the server detailing the specific stage, the error’s text, and the accompanying stack trace, thereby granting the operator immediate, granular visibility into the precise juncture of failure.

The module’s interaction with Zimbra’s intrinsic API warrants profound scrutiny. The malicious code weaponized SOAP interrogations directed toward the /service/soap/ endpoint—the legitimate, native interface of the mail architecture itself. To validate these entreaties, the module surreptitiously appended a purloined Anti-CSRF token, a cryptographic seal that Zimbra, within its classic interface, regrettably archives within localStorage in an unencrypted state. Consequently, these machinations flawlessly masqueraded as the pedestrian, authorized activity of the user operating within the webmail sanctum. Should a solitary SOAP request suffer rejection, the architectural wrapper merely returned null, permitting the constellation of auxiliary operations to proceed in parallel, entirely unperturbed.

The exfiltration of this plundered telemetry was orchestrated via a dual-channel conduit: through HTTPS and concurrently through DNS. For transmission across the DNS vector, the values were cryptographically encoded utilizing the RFC 4648 Base32 schema, fractured into 60-character fragments, and subsequently transmuted into subdomain nomenclatures. This clandestine pathway is profoundly advantageous to assailants operating within networks where orthodox web traffic is subjected to draconian filtration, whilst DNS queries frequently traverse unimpeded. More voluminous artifacts, such as comprehensive configuration dumps, were serialized into binary data and dispatched via HTTPS toward the /v/d pathway, adorned with an X-Filename header. For concise missives, navigational beacons, and operational telemetry, the /v/p pathway was employed. Consequently, a singular fragment of intelligence could be exfiltrated via twain divergent routes simultaneously: DNS offering succor within heavily fortified networks, and HTTPS preserving the absolute integrity of the data should the conduit remain accessible.

The venomous architecture concurrently ignited nine parallel tasks via Promise.all. Such a voracious approach was paramount to ensuring the maximum harvest of intelligence, even should the user swiftly terminate the browser tab. One designated function dispatched the inaugural beacon to the command sovereign. An auxiliary module harvested email coordinates and credential telemetry, initially attempting to extract them from the page’s intrinsic variables, and subsequently interrogating them via GetIdentitiesRequest. A distinct module meticulously fingerprinted the client environment, leveraging GetInfoRequest to requisition the absolute totality of server and account parameters—encompassing the Zimbra iteration, the mailbox quota, specific configurations, and the host nomenclature. The culmination of this intelligence was archived as a comprehensive JSON analytical dossier.

Among the most devastating functionalities was the extraction of backup dual-factor authentication codes via GetScratchCodesRequest. These codes are expressly designed for emergency ingress when the patron is bereft of their secondary authentication factor. Should a digital marauder usurp them, the mere alteration of a password is no longer a guaranteed sanctuary; a multitude of defensive bulwarks can be effortlessly bypassed at a later epoch. Each individual code was methodically exfiltrated as a discrete transmission via the DNS conduit.

Yet another module forged an application-specific password via CreateAppSpecificPasswordRequest. Zimbra empowers the genesis of bespoke passwords tailored for external clients and auxiliary services. Within the scrutinized specimen, this nascent, enduring password was christened under the nomenclature ZimbraWeb. The profound peril lies in the reality that such a secret frequently survives the pedestrian alteration of the primary password. For the assailant, this presents an exceedingly convenient methodology for securing long-term, subterranean entrenchment within the mailbox, granting them subsequent ingress via IMAP or API conduits, even after the victim has sensed the anomaly.

Furthermore, the malicious architecture harvested telemetry concerning tethered mobile apparatuses via GetDeviceStatusRequest from within the urn:zimbraSync namespace. The response yielded device identifiers, architectural typologies, synchronization statuses, and an array of auxiliary, highly actionable details. For the malefactors, this transcended mere technical reference; it constituted a profound profiling of the victim and laid the foundational groundwork for subsequent kinetic strikes directed against the mobile perimeter. Moreover, via GetOAuthConsumersRequest, the script exfiltrated a comprehensive roster of third-party OAuth applications commanding ingress to the mailbox. This granted the operator an unvarnished panorama of the external services inextricably bound to the account, illuminating the myriad alternative platforms through which the assault could be further propagated.

A wholly distinct stratagem targeted not the Zimbra architecture itself, but rather the sovereign browser. Two obfuscated form fields, adorned with the attributes autocomplete="username" and autocomplete="current-password", were imperceptibly injected into the page. The code subsequently observed a five-second hiatus, affording the browser’s credential manager ample time to autonomously populate the values. Following this, the harvested contents were read, dispatched to the server, and the injected elements were ruthlessly expunged. This specific maneuver did not even necessitate a Zimbra token, as the attack functioned entirely at the browser stratum, ruthlessly exploiting the inherent propensity of password managers to automatically surrender their preserved secrets.

An auxiliary module silently activated IMAP via ModifyPrefsRequest, calibrating the zimbraPrefImapEnabled parameter to TRUE. The rationale here is coldly pragmatic: following the genesis of an application password, the malefactor requires a remote protocol through which to peruse the correspondence utilizing an orthodox client, thereby perpetuating their surveillance of the mailbox entirely independent of the web interface. The activation of IMAP transfigured a singular, ephemeral compromise into a profoundly resilient, enduring conduit of access.

The most arduous, and arguably the most invaluable, facet of the siege was the systematic archival exfiltration of the preceding ninety days of correspondence. The sendArchives module meticulously iterated through days 0 to 89, downloading the entirety of the mailbox’s contents—excluding that flagged as spam—for each specific diurnal epoch via Zimbra’s intrinsic export nexus: /home/~/?fmt=tgz. Each daily archive was instantaneously dispatched to the server. For contemporary browsers, this was achieved via a streaming transmission utilizing ReadableStream, utterly bypassing memory buffering. For antiquated iterations, a buffered methodology was employed, constrained to a 500 MB threshold. Concurrently, cryptographic checkpoints bearing the nomenclature zd_comp_YYYY-MM-DD were archived within localStorage; this ensured that should the tab be subsequently reopened, previously exfiltrated days would not suffer redundant transmission. A generous timeout of twenty-four hours was allotted per day, signifying that the tab could persist and systematically siphon the archives for an exceedingly protracted duration, provided the patron did not sever the connection.

Investigators chronicle that the command server’s domain was consecrated on January 20, 2026, mere moments preceding the commencement of the bombardment. Within the infrastructure, at least twain synthetically generated domains were observed: js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua and js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua. The fateful missive arrived on January 22, 2026, and, according to the header telemetry, was dispatched via infrastructure inextricably bound to the National Academy of Internal Affairs. Forensic researchers postulate that the sender’s account had, in all probability, already suffered compromise. An auxiliary, chilling detail: at the epoch of its initial unmasking, the specimen elicited zero detections upon VirusTotal.

The dossier specifically references previously chronicled operations orchestrated by APT28, APT29, and TA473, leveled against Zimbra and auxiliary webmail architectures spanning Eastern Europe. Nevertheless, the GhostMail bombardment aligns most congruously with the established machinations of APT28. Seqrite Labs highlights profound intersections with Operation RoundPress and the venomous logic underpinning SpyPress.ZIMBRA, wherein analogous SOAP interrogations directed toward the Zimbra API and the wholesale exfiltration of mailbox contents were heavily utilized. These profound revelations have already been imparted to CERT-UA.

The saga of GhostMail provides a masterclass in the profound evolution of the foundational logic underpinning email bombardments. Digital marauders no longer universally require a venomous executable upon the disk, a compromised macro within a document, or a discrete, subterranean downloader. Should the webmail architecture harbor vulnerabilities, the entire constellation of malicious actions can be seamlessly executed directly within the browser, ensconced within the user’s active session, ruthlessly weaponizing the platform’s very own, orthodox capabilities against itself. For the vanguard of defense, this dictates an absolute, unequivocal mandate: Zimbra must be fortified with zero latency; HTML content within webmail must be subjected to draconian filtration; and anomalous SOAP interrogations, unexpected IMAP activations, the unheralded genesis of application passwords, and the mass exfiltration of mail archives must be monitored with unblinking, relentless vigilance.