Unknown threat actors have exploited this vulnerability to target government organizations in the Commonwealth of Independent States (CIS), aiming to steal user credentials.

The initial phishing email was sent to a governmental organization in a CIS country, and the attack was later identified by Russian cybersecurity firm Positive Technologies in September.

Although the identity of the attackers remains unknown, similar vulnerabilities have previously been exploited by groups such as Winter Vivern.

The hidden payload in the phishing emails is a piece of base64-encoded JavaScript that downloads a decoy document and injects an unauthorized login form into the HTML page.

Recent vulnerabilities in Roundcube, particularly CVE-2024-37383, have raised concerns; this flaw affects versions prior to 1.5.7 and 1.6.x before 1.6.7, prompting urgent updates to the latest version 1.6.9.

CVE-2024-37383 is a medium-severity stored cross-site scripting (XSS) vulnerability with a CVSS score of 6.1, allowing attackers to execute arbitrary JavaScript when a user opens a specially crafted email.

The phishing campaign, which began in June 2024, involved emails that appeared empty but contained a hidden .DOC attachment and JavaScript code designed to exploit the vulnerability.

The attacks were first discovered in September 2024, but the malicious activity had been ongoing since June.

Roundcube Webmail, an open-source PHP-based email solution, is popular among commercial and government entities, making it a frequent target for cyberattacks.

The malicious JavaScript payload not only saves an empty attachment but also retrieves messages from the mail server using the ManageSieve plugin, displaying a fake login form to capture user credentials.

This fake login form requests the user's Roundcube login and password, which are then sent to a remote server registered on Cloudflare.

Despite its limited popularity compared to other email clients, Roundcube is targeted by hackers due to its use by government agencies, posing significant risks of data breaches.