Hackers Exploit Zimbra and Roundcube Email Servers to Attack Government Organizations

An alarming spear-phishing campaign has been uncovered, specifically aimed at government organizations. This attack preys on the vulnerabilities of Zimbra and Roundcube email servers.

It is crucial that immediate action is taken to secure these servers and prevent any further breaches. Investigations by EclecticIQ revealed that the initial campaigns date back to January of 2023.

These emails evaded government organizations’ anti-spam filters, which state that the threat actors used several evasion techniques to bypass spam detections.

However, the originating IP in the email headers suggests that the threat actor used VPN services to hide his identity.

Zimbra Maintenance Mail for Phishing Campaign

Around 12 phishing emails were analyzed, and none had their sender address spoofed.

This means all these emails were from legitimate compromised government email servers that bypassed anti-spam filters.

Furthermore, all the organizations in the sender addresses were using Zimbra or Roundcube as their email servers.  

Organizations and countries affected by this campaign (Source: EclecticIQ)

Though the emails were having the context as a fake Zimbra maintenance alert notification, the language changed for each recipient aligned with their spoken language.

Phishing Lure Email (Source: EclecticIQ)

Once the victims fall for this email, they are redirected to a fake Zimbra login page for credential stealing.

Threat actors have used legitimate web services like Google Firebase, Mailchimp, Chilipepper(.)io, and Webflow(.)io to steal this information.

Fake Zimbra Login Page (Source: EclecticIQ)

It is assumed that threat actors have been exploiting known vulnerabilities CVE-2020-35730 and CVE-2020-12641 in RoundCube versions 1.4.10 and 1.4.11. Ukraine was one of the countries targeted during these phishing campaigns.

 EclecticIQ has published a complete investigation report that reveals all the techniques, methods, and tactics used by the threat actors for stealing credentials.

It is recommended that Zimbra users update to the latest version (8.8.15) to prevent it from getting exploited.


Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

8 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

11 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

12 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

14 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

15 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

16 hours ago