Hackers exploit Roundcube flaw to spy on academic researchers
by Bill Toulas · BleepingComputerA China-linked threat cluster has been exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and deploy backdoor malware.
The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.
Researchers at cybersecurity company Proofpoint are tracking the activity under the name ‘UNK_MassTraction’ and believe to be associated with a new threat cluster.
The attack begins with a malicious email sent from compromised accounts or spoofed domains, using a generic lure.
Source: Proofpoint
Opening the email in a vulnerable Roundcube webmail client triggers exploitation of a cross-site scripting flaw tracked as CVE-2024-42009, which executes JavaScript code inside the victim’s browser, loading a payload called IceCube.
According to the researchers, IceCube "is a fully-featured Roundcube stealer" that can harvest usernames, passwords, cookies, two-factor authentication (2FA) data, and browser information.
Proofpoint says that the malware uses "helpers" to exploit a Roundcube deserialization flaw tracked as CVE-2025-49113 and attempts to install SquareShell, a PHP webshell that includes remote code execution capabilities.
If successful, the attacker gains remote code execution on the mail server; otherwise, the malware downloads a shell script that loads another payload, VShell, directly in memory.
VShell is a commodity Go-based backdoor that supports interactive shell access and port forwarding, which is commonly used by Chinese threat actors.
Source: Proofpoint
Based on several observations, Proofpoint assesses that UNK_MassTraction is likely a China-aligned espionage actor.
First, the infrastructure used in the attacks overlaps with a covert VPS network previously associated with multiple China-linked actors. Another clue is the presence of Chinese-language artifacts in earlier phishing emails.
Finally, the tactic of targeting internet-facing mail servers as a foothold for accessing internal networks is a hallmark of Chinese attacks.
Taking everything into account, Proofpoint emphasizes that attribution in this case is just an assessment and definitely not a high-confidence one.
An interesting finding regarding the specific targeting of this campaign is that UNK_MassTraction appears to have selected servers previously deemed vulnerable to CVE-2024-42009 and CVE-2025-49113, so some reconnaissance was performed prior to the attacks.
Administrators of Roundcube systems are advised to apply the latest security updates that address the two flaws and treat mail servers with the same diligence they show for VPNs and other remote access nodes.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.