The activity, tracked as UNK_MassTraction, has been under observation since May 2026 and is believed to remain active. Fewer than 10 confirmed university victims have been identified so far, though the potential exposure could extend to several dozen institutions running unpatched Roundcube instances. The operation highlights a widening threat to academic research environments, where internet-facing mail systems can offer a route into broader campus networks.
The attackers exploited known, patched vulnerabilities rather than unknown zero-day flaws. The first, CVE-2024-42009, is a critical cross-site scripting flaw in Roundcube with a CVSS severity score of 9.3. It allows malicious JavaScript to execute when a target opens a specially crafted email inside a vulnerable Roundcube webmail client. The second, CVE-2025-49113, is a deserialisation flaw that can enable server-side compromise and remote code execution.
The campaign used compromised senders and domains with weak DMARC settings to deliver generic email lures. The messages did not need elaborate deception. Opening the email in a vulnerable client could start the chain, giving the attackers access to the browser session and then to the mail server itself. That method lowers the threshold for compromise and makes ordinary spam-like emails more dangerous inside unpatched environments.
After the first-stage exploit, the attackers deployed a JavaScript stealer named IceCube. The tool was designed to escape Roundcube’s internal frame, interact with the wider browser session and collect usernames, passwords, cookies, two-factor authentication material and session data. It also gathered browser details such as language settings, screen size and form values before sending the information to command-and-control infrastructure.
The next stage used the stolen session context to exploit the Roundcube deserialisation vulnerability. Successful exploitation enabled installation of SquareShell, a lightweight PHP web shell placed in a plugin-like path to blend into the application structure. The shell was timestomped by copying modification times from legitimate plugin files, a tactic used to obstruct forensic review.
Where the web shell route failed, the chain included fallback mechanisms. One fallback used a shell script to deploy an architecture-dependent ELF loader associated with SNOWLIGHT. That loader could then run VShell, a Go-based backdoor observed in earlier China-linked intrusions. VShell offers interactive shell and port-forwarding capabilities, making it useful for lateral movement from an exposed mail server into other systems.
The operators also used measures that point to operational discipline. The malware checked whether a target had already been infected, cleaned browser storage, removed evidence of activity, destroyed user and attacker-created sessions and used deferred triggers when a user changed tabs, moved the mouse away from the browser window or attempted to log out. These behaviours suggest the attackers were not merely collecting mailbox data but treating mail servers as edge devices for network access.
Attribution remains cautious. The cluster has not been tied publicly to a named state-backed unit. The China-aligned assessment rests on a combination of factors, including Chinese-language artefacts in earlier message content, use of infrastructure linked to covert networks used by multiple China-aligned actors, targeting patterns and the use of VShell. The focus on physics, engineering and high-value academic research fits a broader pattern in which universities are targeted for intellectual property, defence-adjacent research and access to specialist collaboration networks.
Roundcube is widely used as an open-source browser-based IMAP webmail client, particularly by universities, research groups, hosting providers and smaller organisations that prefer self-managed email infrastructure. Its popularity and exposure to the public internet make delayed patching a serious risk. Institutions that maintain separate departmental servers may face added difficulty, as systems outside central IT oversight can remain outdated even after patches are available.
Topics
Technology