Press play to start listening
Proofpoint has identified a suspected China-aligned espionage group targeting vulnerable Roundcube mail servers at universities in the US and Canada, with activity focused on physics and engineering departments associated with sensitive research.
The operation has specifically focused on administrators and professors in departments with national security ties or in departments that study astrophysics and particle physics.
The firm tracks the group as UNK_MassTraction, and the campaign has been active since May 2026.
How the Attack Works
The emails abuse CVE-2024-42009, a cross-site scripting vulnerability in Roundcube’s HTML sanitization. When the email is opened in a vulnerable Roundcube webmail client, an onanimationstart event can trigger embedded JavaScript, which then loads an external JavaScript file and sets the attack chain in motion.
Proofpoint refers to this JavaScript as IceCube. Once loaded, it collects credentials, cookies, and other browser session data. According to researchers, comments found throughout the code suggest that a large language model may have helped create it. IceCube then uses the stolen session data to prepare the next set of attack components.
The next stage abuses CVE-2025-49113, a deserialization vulnerability in the Crypt_GPG component. Successful exploitation installs SquareShell, a PHP web shell placed in a plugin-like path with altered timestamps to help it avoid notice.
In their blog post shared with Hackread.com, researchers noted that operators are also deploying VShell, a Go-based backdoor loaded directly into memory without writing files to disk. The company has linked VShell to earlier China-linked activity.
Another noteworthy aspect of the campaign is the fact that attackers are also using built-in cleanup and persistence steps to keep the chain moving. After running, the code clears traces from local storage, closes active sessions, and checks whether the machine has already been infected, for example by looking for a marker file in the temporary directory.
Once the attackers reached the mail servers, they gained access inside university environments, giving them room to look for other connected systems. What’s worse, the emails were also harder to dismiss because they came from accounts and domains the attackers had already taken over.
Researchers also found some parts of the code include Chinese-language strings, and the command infrastructure matches patterns seen in similar activity. The operators also appear to have built the tooling with their own troubleshooting in mind, adding logging and several fallback options in case one route failed.
Install Patches and Protect Your Organization
Organizations that expose Roundcube to the internet should confirm patches are in place. Mail server logs and web directory changes should also be reviewed, especially for signs of new or modified files.
Proofpoint also shared IP addresses, file hashes, and URLs that defenders can use to check their own environments.

