This spearphishing campaign by the UNC1151 threat actor exploits CVE-2024-42009, a critical vulnerability in the Roundcube webmail client, to execute malicious JavaScript embedded in phishing emails. When a victim opens the email, the script silently installs a Service Worker in the victim’s browser, which intercepts login credentials entered into Roundcube and exfiltrates them to attacker-controlled servers without requiring additional user interaction. This stealthy technique leverages browser Service Workers (T1059.007) to bypass many traditional security controls and endpoint defenses, complicating detection and response efforts. Additionally, a second vulnerability, CVE-2025-49113, may be chained with CVE-2024-42009 to enhance persistence and attack impact, potentially allowing attackers to maintain longer-term access or escalate privileges. After credential theft, UNC1151 accesses compromised mailboxes to analyze email contents, extract address books, and send further phishing emails internally, enabling lateral movement and expanding their foothold within targeted organizations. The campaign primarily targets Polish organizations but also poses a threat to neighboring Central European countries with significant Roundcube usage, including Germany, Czech Republic, Slovakia, Austria, and Hungary. Indicators of compromise include specific IP addresses, domains, URLs, and file hashes linked to the campaign. The attack’s stealth and automation amplify its potential impact across affected organizations.

This campaign threatens the confidentiality, integrity, and availability of email communications for organizations in Poland and neighboring Central European countries. Compromise of user credentials can lead to unauthorized access to sensitive corporate and governmental emails, intellectual property, and personally identifiable information. The attackers’ ability to harvest address books and propagate phishing internally increases the risk of widespread compromise, potentially resulting in large-scale data breaches, financial fraud, and reputational damage. The exploitation of browser Service Workers for credential interception bypasses many endpoint security measures, making detection and prevention more difficult. Given the strategic importance of email systems in business and government operations, successful exploitation could disrupt communications and trigger costly incident response and remediation efforts. Delayed patching or misconfigured Roundcube deployments increase exposure. The campaign’s stealth and automation amplify its potential impact across affected organizations.

1. Immediately apply all available security patches for Roundcube addressing CVE-2024-42009 and CVE-2025-49113; monitor official Roundcube channels for updates. 2. Conduct detailed log analysis focusing on unusual Service Worker registrations, anomalous login attempts, and outbound connections to known malicious IPs and domains associated with UNC1151. 3. Implement browser security policies to restrict or monitor Service Worker registrations in corporate environments, especially where Roundcube webmail is accessed. 4. Enhance email filtering and spearphishing detection capabilities using threat intelligence feeds containing UNC1151 indicators to block malicious emails before delivery. 5. Enforce multi-factor authentication (MFA) for all webmail access to mitigate the impact of credential theft. 6. Educate users about spearphishing risks, emphasizing that merely opening an email can trigger exploitation, and encourage prompt reporting of suspicious emails. 7. Segment email infrastructure and restrict internal email forwarding to limit phishing propagation within organizations. 8. Regularly audit mailbox and address book permissions to minimize data exposure if accounts are compromised. 9. Monitor network traffic for suspicious activity related to known attacker infrastructure and indicators of compromise. 10. Deploy endpoint detection tools capable of identifying abnormal Service Worker behavior and browser-based threats.