Spear Phishing Strikes Poland: UNC1151 Exploits Critical Roundcube Vulnerability

Introduction: A New Breed of Email Espionage Emerges in Poland

Poland has found itself in the crosshairs of an advanced spear phishing operation, executed by the well-known cyber threat group UNC1151. This campaign, uncovered by CERT Polska, represents a dangerous shift in the landscape of email-based attacks, where a newly disclosed vulnerability in the Roundcube webmail client—CVE-2024-42009—is being actively exploited. This attack blends highly convincing social engineering with technical precision, exposing critical gaps in outdated Roundcube installations. UNC1151, long suspected to be affiliated with Belarusian or Russian intelligence agencies, now appears to be adopting more covert and complex infiltration tactics. At the heart of this operation is a malicious use of browser Service Workers, stealthily harvesting login credentials while mimicking legitimate business correspondence. The cyber security community now urges immediate action, as the implications of this breach could extend far beyond Polish borders.

Campaign Summary: Sophistication Meets Deception in UNC1151’s Latest Attack

In a targeted cyberattack campaign, threat actors successfully exploited CVE-2024-42009 in Roundcube webmail, compromising Polish organizations through a multi-layered spear phishing scheme. The campaign was first detected by CERT Polska and attributed with high confidence to UNC1151, a threat group believed to have ties to Belarusian government cyber operations. Attackers crafted invoice-themed phishing emails designed to trigger an urgent response from recipients, complete with Polish business credentials such as addresses and tax identification numbers to bypass suspicion. These messages lured recipients into opening emails which, without requiring any additional clicks, exploited a flaw in Roundcube’s HTML sanitization to execute JavaScript directly in the user’s browser.

The exploit allowed attackers to install a malicious Service Worker within the browser, maintaining a covert presence. Victims were then seamlessly redirected to their real webmail login page, where the Service Worker intercepted login credentials during real-time authentication. These credentials were stealthily transmitted to an attacker-controlled domain (a.mpk-krakow[.]pl), enabling continued unauthorized access. Despite the advanced nature of the operation, the attack remained highly discreet, with no disruption to the user’s normal login experience. Security researchers warn that this represents a tactical evolution in phishing, combining legitimate-looking content, a stealthy browser implant, and real-time credential theft.

In response, CERT Polska advises immediate upgrades to Roundcube versions 1.6.11 or 1.5.10 to patch the vulnerability. Organizations are urged to inspect logs for suspicious traffic, reset passwords, and manually unregister Service Workers. Alarmingly, this attack coincides with the disclosure of another Roundcube flaw, CVE-2025-49113, which could compound the risk if leveraged in future attacks. Although not yet exploited, experts fear this vulnerability could be weaponized in combination with ongoing campaigns. The campaign against Poland may be the first of many, as the methods and motivations point to a broader strategy of state-aligned cyber infiltration.

What Undercode Say:

This latest campaign marks a chilling milestone in the evolution of phishing attacks, highlighting how traditional cybersecurity assumptions are being outpaced by increasingly covert methodologies. UNC1151’s strategic exploitation of CVE-2024-42009 demonstrates not only technical ingenuity but also an acute understanding of human behavior and institutional weaknesses. The use of invoice-themed emails wasn’t random — it played on the urgency and routine processing of financial documents within organizations, a common tactic in business email compromise (BEC) scenarios. However, what sets this apart is the depth of social engineering paired with seamless browser exploitation.

The Roundcube vulnerability is particularly dangerous because it allows execution of JavaScript upon simply opening an email — no clicking required. This zero-click vector is what makes the threat deeply insidious. Once the malicious Service Worker is implanted, it gains persistent surveillance over the browser session. Service Workers are typically used to enhance user experience via caching and background synchronization, but in this context, they become silent tools of espionage. They can remain active even after the user navigates away, which gives attackers long-term access without triggering traditional detection mechanisms.

From a cyber defense standpoint, this operation reveals gaps in how many organizations perceive webmail security. Email clients like Roundcube, often self-hosted and overlooked in patch management cycles, become prime targets. The silent credential harvesting also indicates that the attackers are interested not just in data theft, but in maintaining persistent access — a key tactic in state-sponsored espionage where time and stealth are more valuable than quick monetization.

Attribution to UNC1151 further escalates the threat level. This group is consistently associated with disinformation campaigns, election interference, and long-term infiltration strategies. Their interest in Polish entities might align with geopolitical motives, such as destabilization or intelligence gathering on NATO-aligned nations. The fact that this is the first known exploitation of CVE-2024-42009 by this actor suggests they’re expanding their technical arsenal, likely preparing for more complex campaigns that could extend to other EU or NATO countries.

Security analysts must also pay attention to the recent disclosure of CVE-2025-49113. Though not yet active in the wild, it creates a ticking time bomb scenario. When combined with credential harvesting techniques, it could enable full webmail server compromise. This is especially dangerous in sensitive sectors like government, healthcare, or finance, where email systems are critical for operational integrity.

Organizations must move beyond reactive security. Continuous patching, rigorous network log audits, and endpoint behavior analytics are now the minimum standard. Browser-level implants like Service Workers must be actively monitored and cleared, especially in environments that use open-source or self-hosted solutions. A fundamental shift is needed: treat email clients not just as communication tools but as critical infrastructure, equally worthy of zero-trust scrutiny.

In essence, this attack is a wake-up call. It reflects how nation-state actors are fusing the psychological power of spear phishing with technical mastery over web technologies. The Polish campaign is a warning shot — it won’t be the last.

Fact Checker Results:

✅ CVE-2024-42009 is a confirmed vulnerability in Roundcube affecting HTML sanitization
✅ UNC1151 has been consistently linked to Belarusian state-sponsored operations
⚠️ No active exploitation of CVE-2025-49113 has been reported yet, but it’s on the radar

Prediction:

Future attacks will likely expand beyond Poland, targeting countries with outdated Roundcube installations, especially within government and critical infrastructure sectors. UNC1151 may integrate the newer CVE-2025-49113 in upcoming multi-pronged campaigns, combining credential theft with full server compromise. We anticipate a spike in phishing attempts using invoice-related lures, customized by region and language, as attackers refine their social engineering tactics. 🌍🛡️💻