216.73.217.64

UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

· Published 05/06/2025 22:36 · Modified 08/06/2025 16:33

Export JSON

Essential information

Published
05/06/2025 22:36
Modified
08/06/2025 16:33
Tags
2025-06-05 CVE-2024-42009 CVE-2025-49113 credential-theft poland roundcube spearphishing unc1151 vulnerability exploitation
Related entities
2 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 6 techniques (mitre), 2 others

Description

A spear phishing campaign targeting Polish entities has been observed, exploiting the vulnerability in to steal user credentials. The campaign, attributed to , involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. This worker intercepts login attempts and sends credentials to the attackers. The exploit allows code execution when an email is opened. A new vulnerability, , has also been discovered in , potentially creating a more effective attack chain. The attackers use harvested credentials to analyze mailboxes, download address books, and spread further phishing messages. Organizations using are advised to update their installations and review logs for indicators of compromise.

External references