The Invisible Breach: ‘Operation GhostMail’ Uses Zero-Click XSS to Hijack Ukrainian Webmail

A sophisticated cyberespionage campaign, dubbed Operation GhostMail, has been detected targeting critical government infrastructure in Ukraine. Security researchers at Seqrite Labs identified the operation, which leverages a zero-click infection chain to intercept webmail sessions without ever dropping a single file on the victim’s hard drive.

Attributed with moderate confidence to the Russian state-sponsored group APT28, the campaign marks a significant shift toward purely browser-resident threats that bypass traditional endpoint security.

Unlike traditional phishing attacks that rely on suspicious links or malicious .exe attachments, Operation GhostMail arrives as a seemingly harmless internship inquiry. The entire attack is contained within the HTML body of the email itself.

The campaign exploits CVE-2025-66376, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration (ZCS). The bug is caused by “inadequate sanitization of CSS @import directives within the HTML content,” allowing an obfuscated JavaScript payload to execute the moment a victim opens the email in a vulnerable browser session.

“The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email”.

Once triggered, the malicious script runs silently in the background. Rather than installing permanent malware, it weaponizes legitimate platform-native functionality to turn the victim’s own browser against them.

The script is designed for total data exfiltration, targeting:

• Credentials and Tokens: Harvesting session tokens, backup 2FA codes, and browser-saved passwords.
• Mailbox Content: Fetching the source of every email in the victim’s inbox going back 90 days.
• Contact Lists: Utilizing legitimate SOAP API requests to the Zimbra endpoint to map out the victim’s professional network.

All stolen data is then funneled back to the attackers using a dual-channel approach over both DNS and HTTPS to ensure the exfiltration remains undetected by network monitoring tools.

The targeting of the Ukrainian State Hydrology Agency—an entity classified as critical national infrastructure—aligns perfectly with ongoing Russian strategic interests in the region.

The technical tradecraft, specifically the exploitation of webmail vulnerabilities to intercept communications, mirrors previously documented activity from APT28 targeting public-sector institutions across Eastern Europe.

“Operation GhostMail demonstrates the continued evolution of webmail-focused intrusion, where attackers rely entirely on browser-resident stealers rather than traditional malware binaries”.

The success of Operation GhostMail highlights a critical blind spot in modern defense: the browser session. Because the attack “achieves full session interception without dropping files, exploiting macros, or triggering endpoint-based detections,” traditional antivirus software often remains blind to the breach.