China-Linked Group Exploits Roundcube Flaws to Target Academic Researchers
A new China-linked threat cluster, dubbed **UNK_MassTraction** by **Proofpoint**, has been actively exploiting vulnerabilities in **Roundcube** webmail servers. The campaign targets U.S. and Canadian universities, specifically focusing on departments involved in physics, engineering, astrophysics, particle physics, and national security research. Attackers aim to steal credentials and deploy sophisticated backdoor malware.
Cybersecurity firm **Proofpoint** has uncovered an ongoing campaign, active since May, that leverages critical flaws in **Roundcube** webmail clients to compromise academic institutions. This activity, attributed to a new threat cluster named **UNK_MassTraction**, is believed to be associated with China-aligned espionage actors.
### Targeted Exploitation of Academic Networks
The primary targets of **UNK_MassTraction** are physics and engineering departments, as well as administrators and professors at U.S. and Canadian universities. Organizations engaged in sensitive research fields such as astrophysics, particle physics, and national security are also in the crosshairs.
### The Attack Chain: From Email to Webshell
The attack typically initiates with a malicious email, often sent from compromised accounts or spoofed domains, using a generic lure.

Opening this email in a vulnerable **Roundcube** webmail client triggers the exploitation of **CVE-2024-42009**, a cross-site scripting (XSS) vulnerability. This executes JavaScript code within the victim's browser, leading to the loading of a payload known as **IceCube**.
**IceCube** is described as a "fully-featured **Roundcube** stealer" capable of harvesting sensitive data, including usernames, passwords, cookies, two-factor authentication (2FA) data, and browser information.
**Proofpoint** further notes that **IceCube** employs "helpers" to exploit a **Roundcube** deserialization flaw, **CVE-2025-49113**. The ultimate goal is to install **SquareShell**, a PHP webshell that provides remote code execution (RCE) capabilities on the mail server.
If the installation of **SquareShell** fails, the malware downloads a shell script that loads **VShell** directly into memory. **VShell** is a commodity Go-based backdoor commonly used by Chinese threat actors, offering interactive shell access and port forwarding functionalities.
.jpg)
### Attribution to China-Aligned Actors
**Proofpoint** assesses with moderate confidence that **UNK_MassTraction** is likely a China-aligned espionage actor. This assessment is based on several observations:
* **Infrastructure Overlap:** The command-and-control infrastructure used in the attacks shows overlap with a covert VPS network previously linked to multiple China-linked threat groups.
* **Linguistic Artifacts:** Earlier phishing emails contained Chinese-language artifacts.
* **Tactical Alignment:** The strategy of targeting internet-facing mail servers as an initial foothold for deeper network penetration is a hallmark of Chinese state-sponsored cyber espionage.
Interestingly, **UNK_MassTraction** appears to have conducted prior reconnaissance, specifically targeting servers known to be vulnerable to **CVE-2024-42009** and **CVE-2025-49113**.
### Recommendations for Administrators
Administrators of **Roundcube** systems are strongly advised to apply the latest security updates to patch both **CVE-2024-42009** and **CVE-2025-49113**. Mail servers, due to their critical role and direct internet exposure, should be secured with the same rigor applied to VPNs and other remote access infrastructure.