Researchers monitoring for large .s calendar attachment found that a defect in Zimbra Cooperation Suits (ZCS) was used in zero-day attacks earlier in the year.
The ICS files, also known as the iCalendar files, are used to store calendar and scheduling information (meetings, events and functions) in plain text and to exchange it between various calendar applications.
The danger actors exploited a cross-site scripting (XSS) vulnerability CVE-2025-27915 in ZCS 9.0, 10.0 and 10.1 to give a JavaScript payload on target systems.
ICS files stems vulnerability from insufficient hygiene of HTML content, which allowed the attackers to execute arbitrary JavaScript within the victim’s session, such as setting the filter that rejuvenates them.
Zimbra Addressed the security issue On 27 January, ZCS 9.0.0 P44, 10.0.13, and 10.1.5, but did not mention any active exploitation activity.
However, the researcher of Strikeredi, a company that develops an AI-operated safety operating and danger management forum, discovered the attack after keeping an eye on .CS files that were larger than 10KB and included the JavaScript code.
He determined that the attacks started in early January, before Zimbra released the patch.
The danger actor in an email spoiled the office of the Libyan Navy protocol, which exploited a zero-day that targeted a Brazilian military organization.
Source: StrikerDe
The malicious email had a 00KB ICS file consisting of a JavaScript file which was obfuscated using the base 64 encoding plan.
Source: StrikerDe
As Analysis of researchersThe payload is designed to steal data from Zimbra webmail, such as credentials, emails, contacts and shared folders.
Strikeredi says that malicious code is applied to execute asynchronous mode and various immediately applied function expressions (IIFEs). Researchers found that it could perform the following actions:
- Create hidden user name/password field
- Steal credentials from login forms
- Monitor user activity (mouse and keyboard) and log out passive users to trigger theft
- Use zimbra soap api to find folders and reconstruct email
- Send email material to the attacker (repeats every 4 hours)
- Add a filter called “correo” to forward the mail to a proton address
- Collect these certification/backup artifacts and exfiltrate them
- Exfiltrate contact, delivery lists and shared folders
- Add 60-second delay before execution
- Apply a 3-day performance gate (only runs again if the last run lasts)
- Hide user interface (UI) elements to reduce visual clues
Strikerade cannot credits this attack with high confidence for any known danger groups, but noted that there are a small number of attackers that can discover zero-day weaknesses in widely used products, mentioning that “the Russian-Linked group is particularly vigorous.”
Researchers have also mentioned that similar strategies, techniques and procedures (TTPs) have been seen in the attacks responsible for UNC1151 – a danger group Compulsory associated with Belarusi government,
Strike’s report shared Compromise indicators And a dobfuscated version of the JavaScript code from the attack leveragin .INC calendar files.
Bleepingcomputer has contacted Zimbra with questions about this activity, and we will update this post with their statement after receiving it.
attend Violation and attack simulation summit And experience Future of security verificationListen to top experts and see how AI-managed base Breach is changing and attacking simulation.
Do not remember the event that will shape the future of your safety strategy
