UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

CERT Polska reports a spear-phishing campaign targeting Polish entities that exploited Roundcube XSS (CVE-2024-42009) to install a Service Worker which intercepted and exfiltrated webmail credentials to a.mpk-krakow.pl; the activity is attributed with high confidence to UNC1151, includes observable IoCs (sender emails, SMTP source, JS attachment hash, malicious domain), and advises updating Roundcube, investigating logs, resetting compromised credentials, and unregistering Service Workers.