{
	"id": "536f6e80-ba38-49ab-8303-97b0b405b435",
	"created_at": "2026-04-06T00:09:26.851711Z",
	"updated_at": "2026-04-10T03:20:35.496779Z",
	"deleted_at": null,
	"sha1_hash": "d1cb4b7d1978ada2a88e97b9b1abf0d1e6a9ff80",
	"title": "Hackers target Ukrainian govt with IcedID malware, Zimbra exploits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4944909,
	"plain_text": "Hackers target Ukrainian govt with IcedID malware, Zimbra exploits\r\nBy Bill Toulas\r\nPublished: 2022-04-14 · Archived: 2026-04-05 17:47:22 UTC\r\nHackers are targeting Ukrainian government agencies with new attacks exploiting Zimbra exploits and phishing attacks\r\npushing the IcedID malware.\r\nThe Computer Emergency Response Team of Ukraine (CERT-UA) detected the new campaigns and attributed the IcedID\r\nphishing attack to the UAC-0041 threat cluster, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.\r\nAlthough attributions are moderately confident, this is another snapshot of the malicious cyber-activity targeting Ukrainian\r\nentities.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIn both cases, the goal of the threat actors is to gain access to internal networks to perform cyber-espionage on Ukraine's\r\nmost critical government agencies.\r\nIcedID infecting state orgs\r\nThe first report describes a campaign distributing XLS documents named \"Mobilization Register.xls,\" reaching many\r\nrecipients.\r\nOpening the document requests the user to \"Enable the Content\" for viewing, resulting in a malicious macro executing to\r\ndownload and run a malicious file.\r\nThis file is the GzipLoader malware, which fetches, decrypts, and executes the final payload, IcedID (aka BankBot).\r\nIcedID is a modular banking trojan that can be used for stealing account credentials or as a loader of additional, second-stage malware such as Cobalt Strike, ransomware, wipers, and more.\r\nDetails from the IcedID campaign (CERT-UA)\r\nSpying on government emails\r\nThe second report involves an email sent to government agencies in Ukraine, with attached images allegedly from an event\r\nwhere President V. Zelensky awarded Armed Forces members.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/\r\nPage 3 of 5\n\nEmail with malicious jpg attachments (CERT-UA)\r\nThe attached images contain a content-location header that links to a web resource hosting JavaScript code that triggers the\r\nexploitation of the Zimbra CVE-2018-6882 vulnerability.\r\nThis cross-site scripting vulnerability affects Zimbra Collaboration Suite versions 8.7 and older, enabling remote attackers to\r\ninject arbitrary web script or HTML via a content-location header in email attachments.\r\nZimbra is an email and collaboration platform that also includes instant messaging, contacts, video conferencing, file\r\nsharing, and cloud storage capabilities.\r\nIn this case, exploiting the flaw adds a forwarding rule for the victim's emails to a new address under the threat actor's\r\ncontrol, which is clearly an espionage-supporting move.\r\nSetting Zimbra to forward victim's emails (CERT-UA)\r\nhttps://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/\r\nPage 4 of 5\n\nIt is worth noting that Zimbra had a similar XSS problem earlier this year, affecting the most recent 8.8.15 P29 \u0026 P30\r\nversions of the suite.\r\nThat flaw was actively exploited as a zero-day by Chinese threat actors who used it to steal the emails of European media\r\nand government organizations.\r\nAs such, CERT-UA advises all organizations in Ukraine using Zimbra to update to the latest available versions of the suite\r\nimmediately.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/"
	],
	"report_names": [
		"hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits"
	],
	"threat_actors": [],
	"ts_created_at": 1775434166,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1cb4b7d1978ada2a88e97b9b1abf0d1e6a9ff80.pdf",
		"text": "https://archive.orkl.eu/d1cb4b7d1978ada2a88e97b9b1abf0d1e6a9ff80.txt",
		"img": "https://archive.orkl.eu/d1cb4b7d1978ada2a88e97b9b1abf0d1e6a9ff80.jpg"
	}
}