The malware phones home to a command-and-control server—often using Microsoft Graph API or Discord webhooks to evade firewalls.
Security researchers have documented widespread phishing and exploitation campaigns targeting Zimbra users globally, often involving fake update notifications or account deactivation warnings to harvest credentials. Persistent Threats: Vulnerabilities such as CVE-2024-45519 (unauthenticated remote code execution) and CVE-2025-27915 zimbra police gov ua repack
: The emails contained malicious JavaScript embedded in HTML/CSS. When a user opened the email in a vulnerable Zimbra session, the script executed silently. Impact : The exploit allowed attackers to steal: Login credentials and session tokens. Two-factor authentication (2FA) data. Up to 90 days of mailbox data. Zimbra Portals for Ukraine Police zimbra police gov ua repack