Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit Roundcube Flaw to Target Academic Researchers

University hallway with generic furnishings and decor, daytime scene.

CVE-2024-42009 is being exploited in an ongoing campaign that has targeted U.S. and Canadian universities since May, researchers say.

What Proofpoint observed about ‘UNK_MassTraction’

Security researchers at Proofpoint are tracking a campaign they call ‘UNK_MassTraction’ and describe it as a China-linked threat cluster exploiting vulnerable Roundcube webmail servers. The activity, observed since May, focuses on physics and engineering departments, administrators and professors, and organizations involved in astrophysics, particle physics, or national security-related research at U.S. and Canadian universities.

Proofpoint characterizes UNK_MassTraction as likely a new threat cluster. The firm also stresses that its judgment about national alignment is an assessment rather than a high-confidence attribution: “attribution in this case is just an assessment and definitely not a high-confidence one,” the report notes.

How the attack chain begins and escalates

The campaign starts with a malicious email sent from either compromised accounts or spoofed domains, using a generic lure. When a recipient opens the message in a vulnerable Roundcube webmail client, the attackers exploit a cross-site scripting flaw tracked as CVE-2024-42009. That XSS executes JavaScript inside the victim’s browser and loads a payload the researchers call IceCube.

Proofpoint describes IceCube as “a fully-featured Roundcube stealer” that can harvest usernames, passwords, cookies, two-factor authentication (2FA) data, and browser information. After initial credential theft, IceCube uses so-called “helpers” to attempt further exploitation of the mail server through a Roundcube deserialization flaw tracked as CVE-2025-49113.

From webmail theft to server backdoors: IceCube, SquareShell, and VShell

If the post-exploitation step succeeds, the attackers attempt to install SquareShell, a PHP webshell that provides remote code execution on the mail server. If that installation does not succeed, Proofpoint says the malware instead downloads a shell script that loads another payload, VShell, directly into memory.

Proofpoint describes VShell as a commodity Go-based backdoor that supports interactive shell access and port forwarding, and notes it is “commonly used by Chinese threat actors.” The result of either successful SquareShell installation or an active VShell payload is the attacker gaining remote code execution on a mail server — a foothold that can be used to pivot into broader internal networks.

Evidence pointing to China-aligned operators — and the caveat

  • Infrastructure overlap: Proofpoint reports that the campaign’s infrastructure overlaps with a covert VPS network previously associated with multiple China-linked actors.
  • Language artifacts: Earlier phishing emails in the observed operations contained Chinese-language artifacts, according to the researchers.
  • Tactics consistent with prior patterns: The researchers note that targeting internet-facing mail servers as an entry point to internal networks aligns with a tactic used in other attacks attributed to China-linked actors.

Despite these indicators, Proofpoint reiterates that its attribution is an assessment and not a high-confidence determination.

What this means for administrators, researchers, and security teams

  • Administrators: Proofpoint advises Roundcube system administrators to apply the latest security updates that address CVE-2024-42009 and CVE-2025-49113, and to treat mail servers with the same diligence shown to VPNs and other remote access nodes.
  • Researchers and faculty in targeted disciplines: Units in physics, engineering, astrophysics, particle physics, and national security-related research should be aware that their mail servers and accounts are specifically in scope for this campaign and may merit prioritized patching and monitoring.
  • Security teams: Detection and post-compromise controls should assume credential theft is plausible via IceCube and that successful exploitation may yield remote code execution through SquareShell or in-memory backdoors such as VShell.

Proofpoint’s findings paint a familiar but specific picture: phishing that weaponizes a known Roundcube XSS, follow-on exploitation of a deserialization bug, and escalation to webshells or in-memory backdoors that can give attackers persistent access to mail infrastructure. Proofpoint’s reporting also documents reconnaissance: UNK_MassTraction appears to have selected servers previously identified as vulnerable to the two CVEs, indicating prior scanning or vulnerability profiling.

For teams hunting detection gaps, an industry data point cited in the same source notes that a vendor whitepaper found security teams log 54% of successful attacks but alert on only 14%—a reminder, in the words of the paper, that many incidents “move through your environment unseen.”

Administrators who run Roundcube installations must now weigh a specific chain of risk — CVE-2024-42009 leading to IceCube credential theft, helpers exploiting CVE-2025-49113, and the potential installation of SquareShell or VShell — and act on the concrete mitigation the researchers recommend. The next observable milestones will be whether patching and tighter monitoring reduce successful compromises and whether Proofpoint’s infrastructure overlaps or language artifacts yield further corroboration for the actor assessment.

Original story