A new and highly targeted cyberattack campaign has come to light in Poland, with the advanced persistent threat group UNC1151 exploiting a critical vulnerability in the Roundcube webmail platform to steal user credentials and further compromise organizational security.
This latest wave of spear phishing, observed by CERT Polska, represents a dangerous evolution in phishing tactics and browser-based exploitation.
UNC1151, a group repeatedly attributed by leading cybersecurity firms to Belarusian and, in some reports, Russian state interests, is using sophisticated technical means to attack Polish entities in a campaign that underscores the enduring risks posed by outdated software and inadequate email security hygiene.
Technical Details Of The Exploit
The technical heart of this campaign is the exploitation of CVE-2024-42009, a vulnerability in the popular Roundcube webmail software.
This bug lets attackers execute arbitrary JavaScript code as soon as a user opens a specially crafted email message in their browser.
Roundcube, like most web-based email clients, renders HTML emails for user convenience.
However, in this case, the email sanitization process was imperfect, allowing certain malicious HTML features to slip through undetected.
The attackers crafted phishing emails using urgent and official-sounding subjects such as “[!IMPORTANT] Invoice to reservation number: S2500650676”, prompting rapid user engagement without suspicion.
- When the email was opened, embedded JavaScript code executed unnoticed in the browser.
- The attacker exploited this flaw to register a Service Worker, a powerful and persistent browser feature typically used to manage background processes and intercept network requests within the affected domain.
- By leveraging the Service Worker, they were able to intercept all subsequent login attempts on the victim’s webmail.
- As soon as the user tried to log in, the Service Worker silently captured their credentials and transmitted them to an external server controlled by the attackers.
The technical implementation was both innovative and stealthy, using JavaScript to gather credentials from POST requests and forward them out via fetch calls, all without disrupting the user’s legitimate session or raising suspicion.
After successfully stealing user credentials, the attackers did not stop at gaining access.
They reportedly investigated mailbox contents, downloaded address books for further targeting, and in some incidents, used the compromised accounts to launch additional phishing attacks against new victims within the organization.
This approach, combining exploitation with lateral movement and automated propagation, marked a significant step up in operational sophistication.
The attackers’ infrastructure included email addresses and domains specifically set up for harvesting credentials, making detection via routine network scanning more challenging.
Emerging Threats And Recommendations
The situation is further complicated by the recent discovery of a new Roundcube vulnerability, CVE-2025-49113.
While there is currently no evidence that this new flaw has been exploited, experts warn that it could be combined with the phishing and credential theft tactics seen in the current campaign.
CVE-2025-49113 enables an authenticated adversary to execute code directly on the Roundcube server, making it possible for attackers who have already stolen user credentials to escalate their privileges and take control of the entire webmail environment.
The potential for daisy-chaining vulnerabilities in this manner raises the stakes significantly for organizations slow to patch their systems.
To defend against this ongoing threat, organizations using Roundcube must immediately update their installations to the latest security-patched versions.
They should also audit network logs for connections to suspicious domains such as a credential harvesting server used in this attack.
Affected organizations must enforce prompt password resets for compromised users, review account activity for anomalies, and manually unregister any unauthorized Service Workers through browser developer tools.
Additionally, employees should be made aware of the latest phishing tactics and instructed to report any suspicious emails to their internal security teams or national response centers.
In summary, this attack highlights the growing technical sophistication of state-aligned threat actors and the continued importance of rapid patch management, layered defenses, and user awareness in mitigating risks to organizational email infrastructure.
As attackers refine their methods, the window for defenders to detect and respond to phishing-driven breaches is narrower than ever.
Prompt action and vigilance remain the best defense against these evolving threats.
