UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

June 8, 2025, 4:33 p.m.

Description

A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. This worker intercepts login attempts and sends credentials to the attackers. The exploit allows code execution when an email is opened. A new vulnerability, CVE-2025-49113, has also been discovered in Roundcube, potentially creating a more effective attack chain. The attackers use harvested credentials to analyze mailboxes, download address books, and spread further phishing messages. Organizations using Roundcube are advised to update their installations and review logs for indicators of compromise.

External References

https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube
https://otx.alienvault.com/pulse/68421bec34b6f0d3020dde66
Tags
spearphishing
poland
credential theft
vulnerability exploitation
CVE-2024-42009
unc1151
CVE-2025-49113
2025-06-05
roundcube

Date

  • Created: June 5, 2025, 10:36 p.m.
  • Published: June 5, 2025, 10:36 p.m.
  • Modified: June 8, 2025, 4:33 p.m.

Indicators

  • 70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149
  • https://a.mpk-krakow.pl/creds
  • a.mpk-krakow.pl
Download all indicators here!

Attack Patterns

  • UNC1151

Additional Informations

  • 2001:67c:e60:c0c:192:42:116:216
  • Poland

Linked vulnerabilities

CVE-2024-42009

None
    Roundcube
Published: August 5, 2024

CVE-2025-49113

9.9
    Roundcube
  • Roundcube Webmail
Published: June 2, 2025