A suspected China-aligned threat group is actively exploiting Roundcube webmail vulnerabilities to target physics and engineering departments at US and Canadian universities. Proofpoint is tracking them as UNK_MassTraction.
The campaign was first detected in May 2026. The targets aren’t random — they’re administrators and professors in departments with national security ties or those researching astrophysics and particle physics.
Here’s how it works. The attackers send phishing emails that trigger cross-site scripting flaws in Roundcube. The recipient doesn’t need to click anything — just opening the email in Roundcube is enough to give the attackers access to the mail server.
The initial exploit targets CVE-2024-42009, a critical flaw with a CVSS score of 9.3. Once triggered, it executes arbitrary JavaScript in the victim’s browser. That deploys a payload called IceCube designed to steal credentials, 2FA tokens, and cookies. IceCube also does its own recon — collecting browser language, screen size, and form field values.
The harvested data goes out via HTTP POST. Then IceCube uses the session’s CSRF token to exploit a second flaw — CVE-2025-49113 (CVSS 9.9) — for remote code execution. That gives the attackers a foothold on the mail server, where they drop either a web shell called SquareShell or a known post-exploitation tool called VShell.
If the web shell install fails, the attack chain falls back to executing a shell script through the Roundcube vulnerability to deliver VShell instead.
Proofpoint notes the attackers likely did prep work — gathering intel on their targets’ environments before sending the phishing emails. The whole chain is designed to avoid detection. Roundcube servers are being used as pivot points into target networks.
The attackers abused both compromised senders and domains vulnerable to spoofing due to lax DMARC policies. Generic lures suggest the actual targeting may be wider than what’s been observed so far.
