Suspected China-Linked Group Targets Universities Through Roundcube Vulnerabilities
Security researchers say a suspected China-aligned threat cluster has been abusing flaws in Roundcube webmail to target physics and engineering departments at universities in the United States and Can...
Security researchers say a suspected China-aligned threat cluster has been abusing flaws in Roundcube webmail to target physics and engineering departments at universities in the United States and Canada. The activity, tracked by Proofpoint as UNK_MassTraction, began appearing in May 2026 and appears to focus on administrators and faculty at schools with research ties to national security, astrophysics, and particle physics.
The campaign used phishing emails sent from compromised accounts and from domains with weak email authentication protections. According to Proofpoint, the operators appeared to know in advance which organizations were running vulnerable Roundcube installations, suggesting prior reconnaissance before the emails were sent.
How the attack works
The initial phase relies on a cross-site scripting issue in Roundcube, including the patched vulnerability CVE-2024-42009. If the target opens the message in the Roundcube client, malicious JavaScript executes in the browser and launches a payload called IceCube. That code is designed to steal stored credentials, session cookies, and two-factor authentication data, while also collecting basic browser information such as language settings and screen size.
IceCube then attempts to abuse a second Roundcube flaw, CVE-2025-49113, to gain remote code execution after authentication. If successful, the attackers can install either a web shell known as SquareShell or a Go-based remote administration tool called VShell. In some cases, the chain also uses a shell script that downloads SNOWLIGHT, an ELF loader previously seen in intrusions linked to Chinese threat actors.
- Credential theft via browser-stored session data
- Post-authentication exploitation for server-side access
- Web shell or VShell deployment for persistence
- Fallback delivery of SNOWLIGHT when the primary method fails
Proofpoint said the JavaScript payload also includes so-called deferred triggers that watch for user actions such as closing the page, switching tabs, or moving the mouse away. If those events occur, the malware tries to re-run the exploit and signals the command-and-control server that the user left the session. It then removes traces by ending sessions on the server and forcing a logout.
Researchers noted that this is the first time a China-linked group has been publicly associated with Roundcube exploitation. Previously, similar abuse of Roundcube had been more commonly tied to Russian state-backed actors. Proofpoint said the campaign shows that email servers are increasingly being treated as high-value entry points, much like VPN appliances and other externally exposed systems.
