Skip to main content
Emerging ThreatsMalware & Ransomware

China-Aligned Hackers Exploit Roundcube Flaws at Universities

Modern university hallway with offices and classrooms, natural daylight from large windows.

"The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection," Proofpoint researchers Greg Lesnewich and Mark Kelly said.

UNK_MassTraction: who was targeted and when

Proofpoint, which is tracking the activity cluster under the name UNK_MassTraction, first detected the campaign in May 2026. The campaign targeted physics and engineering departments at U.S. and Canadian universities, focusing specifically on administrators and professors in departments with either national security ties or entities studying astrophysics and particle physics. Proofpoint observed the operators using both compromised senders and abused domains vulnerable to spoofing because of lax DMARC policy to deliver the malicious mail.

CVE-2024-42009 and CVE-2025-49113: a two-stage exploitation chain

The intrusions hinge on now-patched, critical vulnerabilities in the open-source Roundcube webmail client. The initial vector is CVE-2024-42009 (CVSS score: 9.3) — a cross-site scripting (XSS) flaw that only requires the recipient to open the email in the Roundcube client to obtain access to the mail server. Proofpoint assessed that the targeted departments were singled out because they were running versions of Roundcube susceptible to N-day security flaws, indicating preparatory reconnaissance into the targets' environments.

Once credential- and session-related material is exfiltrated, the attackers leverage the session's CSRF token to weaponize a second, post-authenticated remote code execution vulnerability, CVE-2025-49113 (CVSS score: 9.9). That second flaw is used to obtain a foothold on the mail server and deploy post-exploitation tooling or a web shell.

IceCube, SquareShell, VShell and SNOWLIGHT: the tools of persistence

Proofpoint named the JavaScript payload delivered via the XSS exploit IceCube. IceCube is designed to siphon credential information stored in the browser along with two-factor authentication (2FA) and cookies, and to collect reconnaissance data such as browser language, screen size, and form field values. The harvested information is sent to an external system via an HTTP POST.

After exfiltration, the actors seek to deploy a web shell dubbed SquareShell using a PHP gadget shell command; the deployed web shell is remotely reachable at the endpoint "plugins/newmail_notifier/mail_preview.php" and enables arbitrary code execution. If web-shell installation fails, the attack chain falls back to executing a shell script via the Roundcube vulnerability to ultimately deliver VShell.

Proofpoint says the fallback mechanism was added in June 2026; previously the chain would simply exit upon failing to deploy SquareShell. The shell script acts as a conduit for an ELF loader referred to as SNOWLIGHT, fetching a version compatible with the host's system architecture and then executing it. Both SNOWLIGHT and VShell have been used in intrusions that Proofpoint links to a China-linked cluster tracked as UNC5174 in the past. VShell, written in Go, is described as a remote administration tool providing post-compromise capabilities similar to Cobalt Strike and has been utilized by various China-aligned adversaries in recent years.

Delivery tradecraft and operational stealth

Proofpoint noted the use of generic lures in the emails, which it said indicates a "larger targeting swath" beyond what researchers can see. The operator's JavaScript payload implements measures to preserve the infection chain and reduce detection. "IceCube also sets up what it calls 'deferred triggers' to ensure continuance of the infection chain," Proofpoint said, describing how the deferred triggers monitor if the user closes the page or changes tabs, checks if the mouse leaves the browser window, and hijacks the logout button. If those actions are taken, IceCube hooks those events, re-attempts exploitation of CVE-2025-49113, and beacons to the C&C that the user left the Roundcube session.

On completing its actions or running into a timeout, the JavaScript malware then destroys user and malware-initiated sessions on the server, causing the user to log out and erasing forensic evidence associated with the compromise from the Roundcube server. Proofpoint concluded the operators have "deliberately crafted their infection chain to avoid detection."

What this means for technologists, policymakers, and affected universities

  • Technologists and security teams: prioritize patching and hardening exposed Roundcube instances and review DMARC and email authentication policies, because the campaign exploited both application vulnerabilities and lax domain spoofing protections.
  • Policymakers and regulators: the campaign demonstrates cross-border targeting of academic departments with national-security-adjacent work and may prompt scrutiny of how critical academic services are maintained and disclosed to affected parties.
  • Affected universities and administrators: exposure was tied to running vulnerable Roundcube versions and to email-sending practices; administrators should assume reconnaissance preceded phishing and conduct focused incident response on mail servers and any lateral pivots stemming from them.

The development marks the first time a Chinese hacking group has been tied to the exploitation of Roundcube flaws, which have been traditionally abused by state-sponsored threat actors from Russia, Proofpoint observed. UNK_MassTraction's use of n‑day vulnerabilities, deferred triggers, and layered fallbacks suggests an operator comfortable treating mail servers as an access vector and pivot point — a reminder, the researchers concluded, that defenders should prioritize mail-server defenses as they do other edge remote-access nodes.

Original report