UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
The UNC1151 threat actor is conducting a spearphishing campaign targeting Polish organizations by exploiting a critical vulnerability (CVE-2024-42009) in the Roundcube webmail client. Malicious JavaScript embedded in emails installs a stealthy Service Worker in victims' browsers upon simply opening the email, intercepting login credentials and exfiltrating them to attacker infrastructure. A second vulnerability (CVE-2025-49113) may be chained to increase attack persistence and impact. Stolen credentials allow attackers to access mailboxes, harvest address books, and propagate phishing internally, facilitating lateral movement. The attack bypasses traditional user interaction requirements and many endpoint defenses, making detection challenging. The campaign primarily affects Poland but also threatens neighboring Central European countries with significant Roundcube deployments. Organizations are urged to patch vulnerabilities promptly, monitor for unusual Service Worker activity, enforce multi-factor authentication, and enhance email filtering to mitigate risks.
AI Analysis
Technical Summary
This spearphishing campaign by UNC1151 exploits CVE-2024-42009, a vulnerability in the Roundcube webmail client, to execute malicious JavaScript embedded in phishing emails. When a victim opens the email, the script silently installs a Service Worker in the victim’s browser. This Service Worker intercepts login credentials entered into Roundcube and sends them to attacker-controlled servers without requiring further user interaction, effectively bypassing many traditional security controls. Additionally, a newly discovered vulnerability, CVE-2025-49113, may be chained with CVE-2024-42009 to enhance the attack’s persistence and effectiveness, potentially allowing attackers to maintain longer-term access or escalate privileges. After credential theft, UNC1151 accesses compromised mailboxes to analyze email contents, extract address books, and send further phishing emails internally, enabling lateral movement and expanding their foothold within targeted organizations. The campaign leverages advanced techniques such as abuse of browser Service Workers (T1059.007), credential access (T1078), and spearphishing (T1566.001). Indicators of compromise include specific IP addresses, domains, URLs, and file hashes linked to the campaign. The stealthy nature of Service Worker exploitation complicates detection and response efforts. The campaign is ongoing with a focus on Polish entities but poses a risk to other Central European countries with significant Roundcube usage.
Potential Impact
For European organizations, especially in Poland and neighboring Central European countries (Germany, Czech Republic, Slovakia, Austria, Hungary), this campaign threatens the confidentiality, integrity, and availability of email communications. Compromise of user credentials can lead to unauthorized access to sensitive corporate and governmental emails, intellectual property, and personally identifiable information. The attackers’ ability to harvest address books and propagate phishing internally increases the risk of widespread compromise, potentially resulting in large-scale data breaches, financial fraud, and reputational damage. The exploitation of browser Service Workers for credential interception bypasses many endpoint security measures, making detection and prevention more difficult. Given the strategic importance of email systems in business and government operations, successful exploitation could disrupt communications and trigger costly incident response and remediation efforts. Delayed patching or misconfigured Roundcube deployments increase exposure. The campaign’s stealth and automation amplify its potential impact across affected organizations.
Mitigation Recommendations
1. Immediately apply all available security patches for Roundcube addressing CVE-2024-42009 and CVE-2025-49113; monitor official Roundcube channels for updates. 2. Conduct detailed log analysis focusing on unusual Service Worker registrations, anomalous login attempts, and outbound connections to known malicious IPs and domains associated with UNC1151. 3. Implement browser security policies to restrict or monitor Service Worker registrations in corporate environments, especially where Roundcube webmail is accessed. 4. Enhance email filtering and spearphishing detection capabilities using threat intelligence feeds containing UNC1151 indicators to block malicious emails before delivery. 5. Enforce multi-factor authentication (MFA) for all webmail access to mitigate the impact of credential theft. 6. Educate users about spearphishing risks, emphasizing that merely opening an email can trigger exploitation, and encourage prompt reporting of suspicious emails. 7. Segment email infrastructure and restrict internal email forwarding to limit phishing propagation within organizations. 8. Regularly audit mailbox and address book permissions to minimize data exposure if accounts are compromised. 9. Monitor network traffic for suspicious activity related to known attacker infrastructure and indicators of compromise. 10. Consider deploying endpoint detection tools capable of identifying abnormal Service Worker behavior and browser-based threats.
Affected Countries
Poland, Germany, Czech Republic, Slovakia, Austria, Hungary
Indicators of Compromise
- cve: CVE-2024-42009
- cve: CVE-2025-49113
- hash: 70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149
- ip: 2001:67c:e60:c0c:192:42:116:216
- domain: a.mpk-krakow.pl
- url: https://a.mpk-krakow.pl/creds
UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
Description
The UNC1151 threat actor is conducting a spearphishing campaign targeting Polish organizations by exploiting a critical vulnerability (CVE-2024-42009) in the Roundcube webmail client. Malicious JavaScript embedded in emails installs a stealthy Service Worker in victims' browsers upon simply opening the email, intercepting login credentials and exfiltrating them to attacker infrastructure. A second vulnerability (CVE-2025-49113) may be chained to increase attack persistence and impact. Stolen credentials allow attackers to access mailboxes, harvest address books, and propagate phishing internally, facilitating lateral movement. The attack bypasses traditional user interaction requirements and many endpoint defenses, making detection challenging. The campaign primarily affects Poland but also threatens neighboring Central European countries with significant Roundcube deployments. Organizations are urged to patch vulnerabilities promptly, monitor for unusual Service Worker activity, enforce multi-factor authentication, and enhance email filtering to mitigate risks.
AI-Powered Analysis
Technical Analysis
This spearphishing campaign by UNC1151 exploits CVE-2024-42009, a vulnerability in the Roundcube webmail client, to execute malicious JavaScript embedded in phishing emails. When a victim opens the email, the script silently installs a Service Worker in the victim’s browser. This Service Worker intercepts login credentials entered into Roundcube and sends them to attacker-controlled servers without requiring further user interaction, effectively bypassing many traditional security controls. Additionally, a newly discovered vulnerability, CVE-2025-49113, may be chained with CVE-2024-42009 to enhance the attack’s persistence and effectiveness, potentially allowing attackers to maintain longer-term access or escalate privileges. After credential theft, UNC1151 accesses compromised mailboxes to analyze email contents, extract address books, and send further phishing emails internally, enabling lateral movement and expanding their foothold within targeted organizations. The campaign leverages advanced techniques such as abuse of browser Service Workers (T1059.007), credential access (T1078), and spearphishing (T1566.001). Indicators of compromise include specific IP addresses, domains, URLs, and file hashes linked to the campaign. The stealthy nature of Service Worker exploitation complicates detection and response efforts. The campaign is ongoing with a focus on Polish entities but poses a risk to other Central European countries with significant Roundcube usage.
Potential Impact
For European organizations, especially in Poland and neighboring Central European countries (Germany, Czech Republic, Slovakia, Austria, Hungary), this campaign threatens the confidentiality, integrity, and availability of email communications. Compromise of user credentials can lead to unauthorized access to sensitive corporate and governmental emails, intellectual property, and personally identifiable information. The attackers’ ability to harvest address books and propagate phishing internally increases the risk of widespread compromise, potentially resulting in large-scale data breaches, financial fraud, and reputational damage. The exploitation of browser Service Workers for credential interception bypasses many endpoint security measures, making detection and prevention more difficult. Given the strategic importance of email systems in business and government operations, successful exploitation could disrupt communications and trigger costly incident response and remediation efforts. Delayed patching or misconfigured Roundcube deployments increase exposure. The campaign’s stealth and automation amplify its potential impact across affected organizations.
Mitigation Recommendations
1. Immediately apply all available security patches for Roundcube addressing CVE-2024-42009 and CVE-2025-49113; monitor official Roundcube channels for updates. 2. Conduct detailed log analysis focusing on unusual Service Worker registrations, anomalous login attempts, and outbound connections to known malicious IPs and domains associated with UNC1151. 3. Implement browser security policies to restrict or monitor Service Worker registrations in corporate environments, especially where Roundcube webmail is accessed. 4. Enhance email filtering and spearphishing detection capabilities using threat intelligence feeds containing UNC1151 indicators to block malicious emails before delivery. 5. Enforce multi-factor authentication (MFA) for all webmail access to mitigate the impact of credential theft. 6. Educate users about spearphishing risks, emphasizing that merely opening an email can trigger exploitation, and encourage prompt reporting of suspicious emails. 7. Segment email infrastructure and restrict internal email forwarding to limit phishing propagation within organizations. 8. Regularly audit mailbox and address book permissions to minimize data exposure if accounts are compromised. 9. Monitor network traffic for suspicious activity related to known attacker infrastructure and indicators of compromise. 10. Consider deploying endpoint detection tools capable of identifying abnormal Service Worker behavior and browser-based threats.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube"]
- Adversary
- UNC1151
- Pulse Id
- 68421bec34b6f0d3020dde66
- Threat Score
- null
Indicators of Compromise
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2024-42009 | — | |
cveCVE-2025-49113 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip2001:67c:e60:c0c:192:42:116:216 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaina.mpk-krakow.pl | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://a.mpk-krakow.pl/creds | — |
Threat ID: 684298b5182aa0cae2059206
Added to database: 6/6/2025, 7:28:53 AM
Last enriched: 10/28/2025, 7:22:08 PM
Last updated: 11/22/2025, 4:43:47 PM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New Tools and Techniques of ToddyCat APT
MediumAnalysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software
MediumIt's not personal, it's just business
MediumWhatsApp compromise leads to Astaroth deployment
MediumNKNShell Malware Distributed via VPN Website
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.