ProBackend
active vulnerability exploitation
1 hour ago8 min read

How a China-Linked Cluster Weaponized Roundcube Flaws Against University Cybersecurity Researchers

A China-aligned espionage group tracked by Proofpoint as UNK_MassTraction has been exploiting two known Roundcube vulnerabilities—CVE-2024-42009 (XSS) and CVE-2025-49113 (deserialization)—to compromise webmail servers at U.S. and Canadian universities, deploying credential-stealing malware and persistent backdoors targeting physics and engineering researchers.

A Quiet Campaign Against University Mail Servers

Since May 2026, a China-aligned espionage group has been quietly picking apart the webmail infrastructure at universities across the U.S. and Canada. The threat cluster, which Proofpoint is tracking under the代号 UNK_MassTraction, isn't exactly stealthy in its objectives—it's after physics and engineering departments, administrators, professors, and any organization dabbling in astrophysics, particle physics, or national security research.

What makes this campaign particularly nasty is the precision. The attackers didn't just blast out emails to every Roundcube instance they could find. They performed reconnaissance first, identifying servers that were vulnerable to both CVE-2024-42009 and CVE-2025-49113 before striking. That kind of targeting suggests a well-resourced operation with patience and resources to spare.

Proofpoint's assessment is that this is a new threat cluster, which means we're likely looking at the early stages of an emerging campaign. The fact that they've been operating for months without widespread detection says something about both their operational security and the general state of university IT hygiene.

A Quiet Campaign Against University Mail Servers

How the Attack Unfolds Step by Step

The attack chain is elegant in its simplicity, which is usually a bad sign. It starts with a malicious email—sent from compromised accounts or spoofed domains, using what Proofpoint describes as a generic lure. Nothing fancy, just enough to get someone to open it.

Once that email lands in a vulnerable Roundcube webmail client, things go south fast. The XSS flaw (CVE-2024-42009) triggers, executing JavaScript code right in the victim's browser. That JavaScript loads a payload called IceCube, which Proofpoint describes as "a fully-featured Roundcube stealer."

IceCube does exactly what you'd expect from a stealer: it harvests usernames, passwords, cookies, two-factor authentication data, and browser information. But here's where it gets interesting—the malware doesn't stop there.

IceCube uses "helpers" to exploit a second vulnerability, CVE-2025-49113, which is a deserialization flaw in Roundcube. This second exploit attempt tries to install SquareShell, a PHP webshell with remote code execution capabilities. If it works, the attacker now has full RCE on the mail server. That's a game-changer—they can move laterally, access internal networks, and potentially reach systems that were never directly targeted.

If SquareShell installation fails for some reason, there's a fallback. The malware downloads a shell script that loads VShell directly in memory. VShell is a commodity Go-based backdoor that supports interactive shell access and port forwarding, and it's commonly used by Chinese threat actors. The in-memory loading is smart—it makes detection harder since nothing gets written to disk.

How the Attack Unfolds Step by Step

Two Flaws, One Campaign

The dual-vulnerability approach is what makes this campaign particularly effective. CVE-2024-42009 is a cross-site scripting flaw in the Roundcube webmail client, while CVE-2025-49113 is a deserialization vulnerability. Neither is particularly new—CVE-2024-42009 has been known for over a year—but they're being used together in a way that maximizes impact.

The XSS flaw gets the initial foothold by executing malicious code in the browser. The deserialization flaw then provides a path to server-side compromise. It's a classic escalation pattern, but it works because too many organizations are running outdated software.

Here's the thing that really bothers me: both vulnerabilities have patches available. Administrators are being advised to apply the latest security updates, but the fact that universities are still running vulnerable Roundcube instances says something about their patch management practices. Mail servers should be treated with the same diligence as VPNs and other remote access nodes—they're often the first door attackers try to kick in.

The reconnaissance phase is also worth noting. The attackers specifically targeted servers that were vulnerable to both CVEs, which means they had intelligence about which institutions hadn't patched. That level of preparation suggests either insider knowledge or sophisticated scanning capabilities.

IceCube, SquareShell, and VShell

The malware arsenal deployed in this campaign is telling. Each component serves a specific purpose in the attack chain, and together they create a robust path from initial access to persistent compromise.

IceCube is the initial payload—a stealer that harvests credentials and browser data. It's designed to be lightweight and fast, getting in, grabbing what it needs, and moving on. The fact that it includes helpers for exploiting additional vulnerabilities shows a level of sophistication that goes beyond simple credential theft.

SquareShell is the persistence mechanism. As a PHP webshell with remote code execution, it gives attackers a reliable way to maintain access to the mail server. Webshells are old hat in the cybersecurity world, but they work because they're simple and effective. Once you have RCE on a mail server, the possibilities are endless—you can read emails, send phishing messages to other users, and use the server as a jumping-off point for further attacks.

VShell is the fallback option, and it's particularly interesting from an attribution perspective. This Go-based backdoor is widely used by Chinese threat actors, which ties into Proofpoint's assessment of the campaign. VShell supports multiple platforms (Windows, Linux across various architectures, and macOS), uses encrypted C2 channels with TLS, and exhibits beaconing activity. NVISO's analysis of VShell infrastructure shows it's been used widely across South America, Africa, and the Asia-Pacific region, suggesting a broad operational footprint.

The in-memory loading of VShell is a notable detail. By avoiding disk writes, the attackers are making forensic analysis harder. Traditional endpoint detection might miss this entirely if it's not specifically looking for VShell's network signatures.

The Broader AI Cybersecurity Context

This campaign doesn't exist in a vacuum. It's part of a larger pattern where nation-state actors are increasingly targeting academic institutions for research espionage. The focus on physics and engineering departments, astrophysics, particle physics, and national security research aligns with known Chinese espionage objectives around advanced technology and scientific breakthroughs.

From an AI cybersecurity perspective, this campaign illustrates several important trends. First, the weaponization of legacy vulnerabilities against critical infrastructure shows that attackers don't need zero-days to cause significant damage. Second, the use of commodity tools like VShell demonstrates how accessible these capabilities have become—any actor with sufficient motivation can leverage publicly available malware.

The targeting of university mail servers is particularly concerning because these institutions often have less robust security postures than corporate environments. Academic networks are designed for openness and collaboration, which makes them attractive targets for espionage. Once attackers compromise a mail server, they can potentially access research data, communications between researchers, and internal network resources that were never intended to be internet-facing.

This is also a reminder that AI-driven threat detection systems need to account for the full attack chain, not just individual indicators. IceCube's credential harvesting, SquareShell's webshell deployment, and VShell's C2 communications are all part of the same campaign, but they might trigger different alerts in different systems. Correlating these events is crucial for effective detection.

Why Proofpoint Points to China

Attribution in cyber operations is always tricky, and Proofpoint is careful to note that their assessment is "just an assessment and definitely not high-confidence." But the indicators they've identified are compelling enough to warrant attention.

The first clue is infrastructure. The servers used in these attacks overlap with a covert VPS network that's been associated with multiple China-linked actors in the past. Infrastructure reuse is common among threat groups, and when you see known Chinese infrastructure being used for new campaigns, it's hard to ignore.

Then there are the Chinese-language artifacts found in earlier phishing emails. While this could theoretically be the work of a Chinese-speaking individual acting independently, it's more likely to be part of a coordinated operation with resources in China.

The targeting pattern itself is also telling. Going after internet-facing mail servers as a foothold for accessing internal networks is a hallmark of Chinese attacks. It's a patient, methodical approach that prioritizes long-term access over quick wins.

It's worth noting that UNC5174, a suspected initial access broker linked to China's Ministry of State Security, has been associated with VShell usage. However, since VShell is publicly available, this doesn't prove direct involvement—it just shows that the tool is in the ecosystem these actors operate in.

The combination of infrastructure, language artifacts, and targeting patterns creates a compelling picture, even if individual indicators could theoretically have alternative explanations.

What Administrators Need to Do Now

If you're running Roundcube, the time for action is now. Here's what needs to happen:

First and foremost, apply the latest security updates that address both CVE-2024-42009 and CVE-2025-49113. These patches have been available for some time, so if you haven't updated yet, you're essentially inviting exploitation. Test the updates in a non-production environment first if you're concerned about compatibility, but don't delay.

Treat your mail server with the same security posture you'd give to any other remote access point. That means regular patching, strong authentication (preferably multi-factor), network segmentation to limit lateral movement, and monitoring for suspicious activity. If you're not already doing this, start now.

Monitor your systems for indicators of compromise related to IceCube, SquareShell, and VShell. This includes looking for unusual JavaScript execution in webmail interfaces, unexpected PHP files on your mail server, and network connections to known VShell C2 infrastructure. NVISO has published detection signatures for VShell beacon payloads and C2 handshakes that can help with this.

Review your email security controls. The initial vector here is a malicious email that gets opened in Roundcube, so ensure you have robust filtering at the gateway level. While this won't catch everything, it can reduce the attack surface.

Finally, consider whether your university's mail infrastructure is properly segmented from internal research networks. If a mail server compromise can lead to access to sensitive research data, you need to understand and mitigate that risk. The attackers clearly see academic institutions as valuable targets for espionage, and your security posture should reflect that reality.

More blogs