“We estimate the total volume of targets would be a few dozen universities, but stress that this is at best a guess, not substantiated by our data,” Greg Lesnewich, principal threat research engineer at Proofpoint, told The Register.
Proofpoint tracks UNK_MassTraction; scope and timeline
Proofpoint has attributed a recent series of intrusions against North American higher-education institutions to a crew it tracks as UNK_MassTraction. The company “directly observed ‘less than 10’ universities targeted,” and while it estimated the true number could be “a few dozen,” it cautioned that the latter is an unverified estimate. The most recent sighting occurred in early June, and Proofpoint said, “we believe it is likely that the campaign is ongoing.”
CVE-2024-42009: the one-click gateway in Roundcube
The campaign begins with innocuous-looking phishing messages sent to university departments from both compromised legitimate senders and abused domains vulnerable to spoofing. Opening a malicious message in a vulnerable Roundcube webmail client triggers CVE-2024-42009, a cross-site scripting flaw that exploits a desanitization issue. A JavaScript loader embedded in the message body executes inside the mail client and provides the attacker initial foothold on the mail server.
The attack chain: IceCube to SquareShell, VShell, and SnowLight
Once the injected JavaScript runs, Proofpoint observed the delivery of a stealer dubbed IceCube. IceCube escapes Roundcube’s iFrame instantiation via DOM traversal, granting the stealer access to the browser Document Object Model and the active Roundcube authentication session. It harvests usernames, passwords, session tokens, cookies, and browser reconnaissance data (language, screen size, and form values), then exfiltrates that material to attacker command-and-control servers via HTTP POST.
Proofpoint says the actor then uses the session’s CSRF token to set up gadgets to exploit a separate deserialization vulnerability tracked as CVE-2025-49113. That exploit enables installation of a webshell called SquareShell and deployment of a VShell implant. When SquareShell failed to execute in some cases, the attackers introduced a fallback channel: a shell script that initiates a loader Google tracks as SnowLight. Proofpoint noted the shell script “has been used in other exploit-driven intrusions by Chinese adversaries, likely indicating a privately shared capability.”
Proofpoint also compared this activity to an earlier campaign disclosed by Trellix that used a filename parsing vulnerability to deliver VShell. While the malware overlap and techniques are similar, Proofpoint said it “cannot definitely link” the prior activity to UNK_MassTraction.
Targeting: physics, engineering, and national-security‑linked departments
Proofpoint reports that the campaign focuses on individuals in departments with national security ties, and in astrophysics and particle physics — subject areas it says “support Beijing’s intelligence-gathering goals” and are frequently targeted by government-backed actors. The attackers appear to have carried out reconnaissance prior to intrusion: “The targeted departments were likely specifically chosen because they were all running [vulnerable] versions of Roundcube … indicating that UNK_MassTraction had conducted reconnaissance into the targets prior to conducting the campaign,” the company wrote.
Proofpoint’s researchers also identified “several cases” where virtual private server IP addresses in the phishing email headers belonged to a “covert infrastructure network likely used by multiple China-aligned threat actors.” Additional indicators cited include low-volume targeting, VShell usage, and Chinese-language artifacts inside phishing messages — factors that led Proofpoint to assess UNK_MassTraction as “likely a China-aligned espionage motivated threat actor that has demonstrated moderate operational security awareness.”
What this means for university IT teams, national-security-linked departments, and security researchers
- University IT teams should prioritize identifying and patching vulnerable Roundcube instances, and scan mailservers for SquareShell or unusual webshell activity; Proofpoint said it scanned for SquareShell on compromised servers and coordinated with government and industry partners to notify identified victims.
- Departments with national-security links and groups in astrophysics and particle physics should expect targeted, low-volume phishing that can succeed with only an opened message and should review mailclient configurations and session protections.
- Security researchers and incident-response coordinators will want to monitor the described covert infrastructure, the use of VShell and SnowLight loaders, and any reuse of the shell script the researchers linked to other Chinese-aligned exploit activity.
The intrusion chain laid out by Proofpoint shows how a single-click cross-site scripting flaw — CVE-2024-42009 — can be chained through credential theft and CSRF manipulation into a full remote-code-execution foothold via CVE-2025-49113, webshells, and backdoors. Proofpoint’s technical tracing, its detection of fallback mechanisms, and its coordination to notify victims underline both the stealth and the persistence of the operation — and leave a practical question for affected institutions: will vulnerable Roundcube deployments be found and remediated before the campaign expands beyond the currently observed campuses?




