Suspected China-Aligned Group Exploits Roundcube Flaws in Attacks on US and Canadian Universities
A new threat cluster, dubbed **UNK_MassTraction** by **Proofpoint**, is targeting physics and engineering departments at US and Canadian universities. The group is exploiting critical, now-patched vulnerabilities in **Roundcube** webmail software to steal credentials, establish persistent access, and deploy post-exploitation tools like **VShell**.

Cybersecurity firm **Proofpoint** has identified a new threat activity cluster, **UNK_MassTraction**, believed to be aligned with China. This group has been observed actively exploiting critical vulnerabilities in **Roundcube** webmail software, specifically targeting physics and engineering departments at universities in the United States and Canada.
### Exploiting N-Day Vulnerabilities
The campaign leverages now-patched critical security flaws in the open-source email solution, including **CVE-2024-42009** (CVSS score: 9.3). The initial objective is to siphon user credentials. Following successful credential theft, the attackers either deploy a web shell for persistent access or install **VShell**, a known post-exploitation tool.
First detected in May 2026, **UNK_MassTraction** has focused on administrators and professors within departments that have national security ties or conduct research in astrophysics and particle physics.
### Sophisticated Phishing and Reconnaissance
**Proofpoint**'s technical report highlights that the threat actors used compromised senders and abused domains vulnerable to spoofing due to lax **DMARC** policies. The generic nature of the lures suggests a broader targeting scope than initially visible.
Crucially, the cross-site scripting (XSS) exploit for **CVE-2024-42009** only requires the recipient to open the email within the **Roundcube** client. This triggers the execution of arbitrary JavaScript code in the victim's web browser. This precision indicates that the threat actor likely conducted prior reconnaissance to identify **Roundcube** instances susceptible to N-day security flaws.
"The actor is likely abusing **Roundcube** servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection," stated **Proofpoint** researchers Greg Lesnewich and Mark Kelly.
### IceCube Payload and Post-Exploitation
The payload delivered after the XSS exploitation, codenamed **IceCube**, is designed to harvest browser-stored credential information, including two-factor authentication (2FA) data and cookies. It also performs reconnaissance, collecting details such as browser language, screen size, and form field values. This harvested information is exfiltrated via an HTTP POST request.
**IceCube** then leverages the session's **CSRF** token to weaponize a second post-authenticated remote code execution flaw in **Roundcube**, **CVE-2025-49113** (CVSS score: 9.9). The ultimate goal is to gain a foothold on the mail server and drop either **VShell** or a web shell dubbed **SquareShell** into memory.

The **SquareShell** web shell, deployed via a PHP gadget shell command, is remotely accessible at the endpoint "plugins/newmail_notifier/mail_preview.php" and enables arbitrary code execution. If **SquareShell** deployment fails, the attack chain falls back to an alternate mechanism: a shell script executed through the **Roundcube** vulnerability to deliver **VShell**.
### Links to Broader Chinese Threat Activity
This secondary method, introduced in June 2026, involves a shell script that acts as a conduit for an **ELF** loader known as **SNOWLIGHT**. The use of both **SNOWLIGHT** and **VShell** has been previously linked to the China-linked cluster **UNC5174**, suggesting possible shared tooling among multiple China-nexus groups.
**IceCube** also implements "deferred triggers" to maintain persistence. These triggers monitor user actions like closing the page, changing tabs, or moving the mouse outside the browser window. If such actions occur, **IceCube** hooks these events, re-attempts exploitation of **CVE-2025-49113**, and beacons to its command-and-control (C&C) server that the user left the **Roundcube** session. Upon completion or timeout, the JavaScript malware destroys user and malware-initiated sessions, logging out the user and erasing forensic evidence from the **Roundcube** server.
Written in Go, **VShell** is a remote administration tool offering post-compromise capabilities akin to **Cobalt Strike**, and has been used by various China-aligned adversaries.
### A Shift in Tactics and Defender Recommendations
This campaign marks the first time a Chinese hacking group has been explicitly tied to the exploitation of **Roundcube** flaws, which have traditionally been abused by state-sponsored threat actors from Russia.
**Proofpoint** researchers emphasize the sophistication of **UNK_MassTraction**'s toolkit and its novel use of N-day vulnerabilities. They conclude that "email delivery can facilitate compromise of the mail server," urging defenders to prioritize the security of their mail servers as thoroughly as they do other edge devices like VPN concentrators.