Cybersecurity firm StrikeReady has published a detailed report revealing a security breach linked to the Zimbra Collaboration Suite, a popular email and collaboration platform. The attack exploited a previously unknown “zero-day” vulnerability, tracked as CVE-2025-27915, which allowed attackers to infiltrate targeted systems earlier this year. The report specifically highlights a campaign where an attacker, spoofing an email sender from the Libyan Navy’s Office of Protocol, targeted the Brazilian military using this exploit. The weapon of choice was a malicious iCalendar (.ICS) file, a standard format for sharing calendar data, which was secretly embedded with a dangerous payload.
How a Simple Calendar File Became a Digital Weapon
The vulnerability is identified as a stored Cross-Site Scripting (XSS) flaw in Zimbra versions 9.0–10.1. The root cause was poor sanitation of HTML code within the ICS files. When a victim opened an email containing the malicious ICS entry, a JavaScript payload was triggered via an <ontoggle> event. This allowed the attackers to take control of the victim’s email session. Once activated, the exploit could be used to hijack active sessions, set up email redirects, and exfiltrate data—a powerful mechanism for espionage. Strike Ready researchers detected the attacks while analyzing ICS files larger than 10 kilobytes that contained obfuscated (hidden) JavaScript code.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
A Spyware Toolkit for Deep Espionage
The malicious script deployed by the attackers was highly sophisticated, specifically targeting Zimbra Webmail to steal credentials, emails, contacts, and shared folders. The malware was designed to be persistent and evasive, employing a variety of techniques to maximize its effectiveness while staying hidden. These tactics included delaying its execution by 60 seconds to bypass rapid detection, limiting its activity to three days before requiring a system cooldown, and hiding its user interface elements.
The malware was capable of a wide range of espionage functions:
- Injecting concealed login forms to capture usernames and passwords.
- Tracking user activity (mouse/keyboard) and terminating the session if the user went idle to ensure data was stolen.
- Querying the Zimbra SOAP API to download and steal full email messages.
- Periodically uploading stolen email content to an attacker-controlled server ().
- Installing a mail-forwarding rule named “Correo” that redirected messages to a ProtonMail address for anonymous collection.
Links to Notorious State-Sponsored Actors
Strike Ready’s report was unable to definitively attribute the attacks to a specific threat group. However, the researchers noted that the complexity and use of a zero-day exploit suggest the involvement of a “well-resourced” actor, typically state-sponsored groups. The report observed Tactics, Techniques, and Procedures (TTPs) that are similar to those previously associated with UNC1151, a Belarusian-based cyber-espionage group. The campaign’s target—Brazil’s military—and the spoofed Libyan Navy sender further indicate an operation focused on geopolitical intelligence gathering rather than financial crime, underscoring the serious and politically motivated nature of the digital espionage effort.
