UNK_MassTraction Hits University Roundcube Servers
Sometimes a single opened email is all it takes to compromise a university network. Researchers at Proofpoint have uncovered a campaign they call UNK_MassTraction. A threat group believed to have ties to China was responsible. It compromised Roundcube mail servers at physics and engineering departments across universities in the United States and Canada.
Campaign Scope and Target Selection
The campaign has been active since at least May 2026. Targeted departments include those linked to national security research, astrophysics, and particle physics. Proofpoint assesses that the attackers pre-selected targets and focused on institutions running vulnerable versions of Roundcube.
Stage One: CVE-2024-42009 and the IceCube Module
Each intrusion began with an email that appeared to be a routine newsletter or promotional message. Embedded within it was code exploiting CVE-2024-42009, a critical Roundcube vulnerability rated 9.4 out of 10. This flaw allows arbitrary scripts to execute inside the victim’s browser. When a recipient opened the message in an affected webmail client, the embedded code ran automatically. No additional action by the user was required.
That initial script then fetched a second-stage module, which Proofpoint named IceCube. IceCube gained access to the active Roundcube session and harvested usernames, passwords, two-factor authentication data, session cookies, and browser details. It then exfiltrated the collected data to an attacker-controlled server.
Stage Two: CVE-2025-49113 and SquareShell Persistence
In the next phase, IceCube attempted to establish persistence on the mail server itself. To do this, the group exploited CVE-2025-49113, a deserialization vulnerability in Roundcube rated 9.9 out of 10. Through this flaw, the attackers installed a web shell called SquareShell. That shell gave them the ability to execute commands remotely on the compromised server.
Anti-Forensics and Covering Tracks
The operators of UNK_MassTraction took deliberate steps to cover their tracks. Their tools cleared browser local storage and verified the host had not been previously compromised. They also modified timestamps on malicious files to match legitimate Roundcube components. Evidence of activity was erased after each session ended.
Fallback Path: VShell Backdoor in Memory
When web shell installation failed, the attack chain switched to a fallback path. The server downloaded a Linux script that selected the appropriate loader for the system’s architecture. It then launched the VShell backdoor entirely in memory. VShell supports interactive command shell access and network traffic tunneling, making it well-suited for lateral movement inside a university network.
Attribution to Chinese Cyber Espionage
Proofpoint attributes UNK_MassTraction to Chinese cyber espionage activity. Supporting indicators include infrastructure shared with other China-linked groups. Chinese-language strings appeared in early phishing emails. The intrusions were also highly targeted, and the group relied on VShell.
The Broader Lesson: Mail Servers Are Entry Points
The broader lesson from this campaign extends well beyond Roundcube. In this model, the mail server is not merely a repository of messages. It functions as an entry point into the entire network. Organizations should therefore protect mail servers with the same rigor they apply to remote access systems. Any externally exposed service deserves equally strict security controls.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.