A Russian state-backed hacker group has targeted a Ukrainian government agency using a stealthy phishing campaign that exploits a vulnerability in widely used Zimbra webmail software, according to new research.

The operation, attributed with medium confidence to APT28 — also known as Fancy Bear and believed to be linked to Russia’s military intelligence — targeted the State Hydrographic Service of Ukraine which plays a role in maritime navigation and other critical infrastructure services.

Researchers at cybersecurity firm Seqrite said the attackers exploited a cross-site scripting  flaw, tracked as CVE-2025-66376, allowing them to inject malicious code directly into an email viewed through Zimbra’s browser-based interface.

Unlike traditional phishing campaigns, the attack did not rely on malicious attachments or links. Instead, the entire exploit was embedded within the body of a single email that appeared to be a routine internship inquiry written in Ukrainian.

“The phishing email has no malicious attachments, no suspicious links, no macros,” the researchers said. “The entire attack chain lives inside the HTML body of a single email.”

Once opened in an active Zimbra session, the malicious code executed silently in the victim’s browser, enabling attackers to harvest login credentials, session tokens, backup two-factor authentication codes, browser-stored passwords and up to 90 days of mailbox data.

The malicious email was sent in January from what appeared to be a compromised student account.By embedding the payload directly in the email and exploiting a trusted webmail environment, the attackers were able to intercept authenticated sessions without deploying malware or triggering many conventional security defenses, the report said.

APT28 has a long history of targeting Ukrainian and Western government entities, defense contractors, and logistics networks in cyber-espionage campaigns. Earlier this month, researchers also linked the group to another operation targeting Ukraine involving previously undocumented malware strains known as BadPaw and MeowMeow.

Zimbra webmail has repeatedly been targeted by other Russian-linked hacking groups, including APT29 and Winter Vivern, in espionage campaigns against Eastern European organizations, the researchers said.