{ "id": "c94cb2ad-9cb0-4f78-9b49-618bba049084", "created_at": "2026-04-06T00:13:02.519407Z", "updated_at": "2026-04-10T03:31:48.833445Z", "deleted_at": null, "sha1_hash": "a0825bb9be04d8882fa851b824d14b2db0e1e7e8", "title": "Mass-spreading campaign targeting Zimbra users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1324013, "plain_text": "Mass-spreading campaign targeting Zimbra users\r\nBy Viktor Šperka\r\nArchived: 2026-04-05 12:42:11 UTC\r\nESET Research\r\nESET researchers have observed a new phishing campaign targeting users of the Zimbra Collaboration email\r\nserver.\r\n17 Aug 2023  •  , 5 min. read\r\nESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’\r\ncredentials, active since at least April 2023 and still ongoing. Zimbra Collaboration is an open-core collaborative\r\nsoftware platform, a popular alternative to enterprise email solutions. The campaign is mass-spreading; its targets\r\nare a variety of small and medium businesses and governmental entities.\r\nCampaign\r\nAccording to ESET telemetry, the greatest number of targets are located in Poland, followed by Ecuador and Italy.\r\nTarget organizations vary: adversaries do not focus on any specific vertical with the only thing connecting victims\r\nbeing that they are using Zimbra. To date, we have not attributed this campaign to any known threat actors.\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 1 of 8\n\nFigure 1. Countries hit by the campaign, according to ESET telemetry\r\nInitially, the target receives an email with a phishing page in the attached HTML file. As shown in Figure 2,\r\nFigure 3 and Figure 4, the email warns the target about an email server update, account deactivation, or similar\r\nissue and directs the user to click on the attached file. The adversary also spoofs the From: field of the email to\r\nappear to be an email server administrator.\r\nFigure 2. Lure email warning in Polish about deactivation of the target’s Zimbra account\r\nFigure 3. Machine translation of lure email, originally in Polish\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 2 of 8\n\nFigure 4. Lure email in Italian; meaning is the same as in Figure 3\r\nAfter opening the attachment, the user is presented with a fake Zimbra login page customized according to the\r\ntargeted organization, as shown in Figure 5. The HTML file is opened in the victim’s browser, which might trick\r\nthe victim into believing they were directed to the legitimate login page, even though the URL points to a local file\r\npath. Note that the Username field is prefilled in the login form, which makes it appear more legitimate.\r\nFigure 5. Fake Zimbra login page\r\nIn Figure 6 we are providing an example of legitimate Zimbra webmail login page for the comparison. \r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 3 of 8\n\nFigure 6. Example of a legitimate Zimbra login page\r\nIn the background, the submitted credentials are collected from the HTML form and sent by HTTPS POST\r\nrequest to a server controlled by the adversary (Figure 7). The POST request destination URLs use the following\r\npattern: https://\u003cSERVER_ADDRESS\u003e/wp-admin/ZimbraNew.php\r\nFigure 7. Code snippet responsible for the POST request exfiltrating targets’ credentials\r\nInterestingly, on several occasions we observed subsequent waves of phishing emails sent from Zimbra accounts\r\nof previously targeted, legitimate companies, such as donotreply[redacted]@[redacted].com. It is likely that the\r\nattackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then\r\nused to send phishing emails to other targets. One explanation is that the adversary relies on password reuse by the\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 4 of 8\n\nadministrator targeted through phishing – i.e., using the same credentials for both email and administration. From\r\navailable data we are not able to confirm this hypothesis.\r\nThe campaign observed by ESET relies only on social engineering and user interaction; however, this may not\r\nalways be the case. In a previous campaign described by Proofpoint in March 2023, the APT group Winter Vivern\r\n(aka TA473) had been exploiting the CVE-2022-27926 vulnerability, targeting webmail portals of military,\r\ngovernment, and diplomatic entities of European countries. In another example, reported by Volexity in February\r\n2022, a group named TEMP_Heretic exfiltrated emails of European government and media organizations by\r\nabusing another vulnerability (CVE-2022-24682) in the Calendar feature in Zimbra Collaboration. In the most\r\nrecent mention, EclecticIQ researchers analyzed a campaign similar to the one described in our blogpost. The\r\nmain difference is that the HTML link leading to the fake Zimbra login page is located directly in the email body.\r\nConclusion\r\nDespite this campaign not being so technically sophisticated, it is still able to spread and successfully compromise\r\norganizations that use Zimbra Collaboration, which remains an attractive target for adversaries. Adversaries\r\nleverage the fact that HTML attachments contain legitimate code, and the only telltale element is a link pointing to\r\nthe malicious host. This way, it is much easier to circumvent reputation-based antispam policies, compared to\r\nphishing techniques where a malicious link is directly placed in the email body. The popularity of Zimbra\r\nCollaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for\r\nadversaries.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us\r\nat threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIOCs\r\nESET detection names\r\nHTML/Phishing.Gen\r\nFiles\r\nWe are unable to share file IoCs because samples contain sensitive information.\r\nNetwork\r\nHosts used to exfiltrate harvested credentials are hosted on shared servers. Detections based solely on IP addresses\r\ncould lead to false positives.\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 5 of 8\n\nIP Domain\r\nHosting\r\nprovider\r\nFirst\r\nseen\r\nDetails\r\n145.14.144[.]174 fmaildd.000webhostapp[.]com\r\nHostinger\r\nInternational\r\nLtd, NL\r\n2019-\r\n12-31\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\n145.14.145[.]248 nmailddt.000webhostapp[.]com\r\nHostinger\r\nInternational\r\nLtd, NL\r\n2019-\r\n12-31\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\n145.14.145[.]122 tmaxd.000webhostapp[.]com\r\nHostinger\r\nInternational\r\nLtd, NL\r\n2019-\r\n12-31\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\n145.14.144[.]58 posderd.000webhostapp[.]com\r\nHostinger\r\nInternational\r\nLtd, NL\r\n2019-\r\n12-31\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\n145.14.145[.]94 ridddtd.000webhostapp[.]com\r\nHostinger\r\nInternational\r\nLtd, NL\r\n2019-\r\n12-31\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\n145.14.145[.]36 mtatdd.000webhostapp[.]com\r\nHostinger\r\nInternational\r\nLtd, NL\r\n2019-\r\n12-31\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\n173.44.236[.]125 zimbra.y2kportfolio[.]com\r\nEonix\r\nCorporation, US\r\n2022-\r\n05-27\r\nMalicious host used\r\nto exfiltrate harvested\r\ncredentials.\r\nURLs\r\nhttps://fmaildd.000webhostapp[.]com/wp-admin/ZimbraNew.php\r\nhttps://mtatdd.000webhostapp[.]com/wp-admin/ZimbraNew.php\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 6 of 8\n\nhttps://nmailddt.000webhostapp[.]com/wp-admin/ZimbraNew.php\r\nhttps://posderd.000webhostapp[.]com/wp-admin/ZimbraNew.php\r\nhttps://ridddtd.000webhostapp[.]com/wp-admin/ZimbraNew.php\r\nhttps://tmaxd.000webhostapp[.]com/wp-admin/ZimbraNew.php\r\nhttps://zimbra.y2kportfolio[.]com/wp/wp-admin/ZimbraNew.php\r\nMITRE ATT\u0026CK\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1586.002\r\nCompromise Accounts: Email\r\nAccounts\r\nThe adversary used previously\r\ncompromised email accounts for\r\ncampaign spreading.\r\nT1585.002\r\nEstablish Accounts: Email\r\nAccounts\r\nThe adversary created new email\r\naccounts to facilitate the campaign. \r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nThe campaign was spread by\r\nmalicious HTML files in email\r\nattachments.\r\nExecution T1204.002 User Execution: Malicious File\r\nA successful attack relies on the victim\r\nclicking on a malicious file in the\r\nattachment.\r\nPersistence T1136 Create Account\r\nThe adversary created new email\r\naccounts on compromised Zimbra\r\ninstances for further spreading of the\r\nphishing campaign.\r\nCollection T1056.003\r\nInput Capture: Web Portal\r\nCapture\r\nThe adversary captured credentials\r\ninserted to a fake login page.\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 7 of 8\n\nExfiltration T1048.002\r\nExfiltration Over Alternative\r\nProtocol: Exfiltration Over\r\nAsymmetric Encrypted Non-C2\r\nProtocol\r\nThe adversary exfiltrated passwords\r\nby POST requests sent over the\r\nHTTPS protocol.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nhttps://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/" ], "report_names": [ "mass-spreading-campaign-targeting-zimbra-users" ], "threat_actors": [ { "id": "e767cfb1-3030-4041-b617-64befa8f8ad7", "created_at": "2023-11-21T02:00:07.347329Z", "updated_at": "2026-04-10T02:00:03.464024Z", "deleted_at": null, "main_name": "TEMP_Heretic", "aliases": [], "source_name": "MISPGALAXY:TEMP_Heretic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "5a725cab-d852-48cf-bcb9-f69426f89332", "created_at": "2022-10-25T16:07:23.951922Z", "updated_at": "2026-04-10T02:00:04.805463Z", "deleted_at": null, "main_name": "Operation EmailThief", "aliases": [ "Operation EmailThief", "TEMP_Heretic" ], "source_name": "ETDA:Operation EmailThief", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0825bb9be04d8882fa851b824d14b2db0e1e7e8.pdf", "text": "https://archive.orkl.eu/a0825bb9be04d8882fa851b824d14b2db0e1e7e8.txt", "img": "https://archive.orkl.eu/a0825bb9be04d8882fa851b824d14b2db0e1e7e8.jpg" } }