Hackers exploit Roundcube bug to target academic researchers

▼ Summary
– A China-linked threat cluster exploits vulnerable Roundcube servers at U.S. and Canadian universities, targeting physics, engineering, and national security-related research organizations since May.
– The attack uses malicious emails to trigger a cross-site scripting flaw (CVE-2024-42009), deploying the IceCube stealer to harvest credentials, cookies, and 2FA data.
– IceCube exploits a deserialization flaw (CVE-2025-49113) to install SquareShell, a PHP webshell for remote code execution, or loads the VShell backdoor in memory.
– Proofpoint assesses the cluster, named UNK_MassTraction, as a likely China-aligned espionage actor due to infrastructure overlaps with Chinese groups and Chinese-language artifacts in emails.
– Administrators should apply security updates for the two flaws and treat mail servers with the same diligence as remote access nodes.
A threat cluster linked to China has been actively targeting vulnerable Roundcube servers at universities across the United States and Canada, aiming to steal login credentials and deploy persistent backdoor malware. The operation has been running since May and zeroes in on physics and engineering departments, administrative staff, professors, and organizations working in astrophysics, particle physics, or national security-related research.
Cybersecurity firm Proofpoint is tracking this activity under the name UNK_MassTraction and believes it represents a new threat cluster. The attack chain begins with a malicious email sent from either compromised accounts or spoofed domains, using a generic lure to entice the recipient.
When the email is opened in a vulnerable Roundcube webmail client, the attack triggers a cross-site scripting vulnerability tracked as CVE-2024-42009. This flaw executes JavaScript code inside the victim’s browser, loading a payload known as IceCube. According to Proofpoint researchers, IceCube is “a fully-featured Roundcube stealer” capable of harvesting usernames, passwords, cookies, two-factor authentication (2FA) data, and browser information.
The malware then uses “helpers” to exploit another Roundcube flaw, a deserialization vulnerability tracked as CVE-2025-49113, in an attempt to install SquareShell, a PHP webshell with remote code execution capabilities. If successful, the attacker gains remote code execution on the mail server. If not, the malware downloads a shell script that loads a different payload, VShell, directly into memory.
VShell is a commodity Go-based backdoor that supports interactive shell access and port forwarding, commonly used by Chinese threat actors. Proofpoint assesses that UNK_MassTraction is likely a China-aligned espionage actor based on several observations. The infrastructure overlaps with a covert VPS network previously tied to multiple China-linked actors. Additionally, earlier phishing emails contained Chinese-language artifacts. The tactic of targeting internet-facing mail servers as a foothold for accessing internal networks is also a hallmark of Chinese attacks.
However, Proofpoint emphasizes that this attribution is an assessment, not a high-confidence one. An interesting finding is that UNK_MassTraction appears to have selected servers previously deemed vulnerable to both CVE-2024-42009 and CVE-2025-49113, indicating that some reconnaissance was performed before the attacks.
Administrators of Roundcube systems are urged to apply the latest security updates addressing both flaws and to treat mail servers with the same diligence reserved for VPNs and other remote access nodes.
(Source: BleepingComputer)




