A group presumably linked to China and tracked by Proofpoint as UNK_MassTraction has, since May 2026, been conducting targeted attacks against Roundcube mail servers of physics and engineering departments at universities in the U.S. and Canada. The campaign exploits two critical vulnerabilities — CVE-2024-42009 (CVSS 9.3) and CVE-2025-49113 (CVSS 9.9) — to steal credentials, deploy web shells, and install the VShell post‑exploitation tool. Roundcube administrators must immediately check their server versions and apply the available patches.
Exploitation chain: from opening an email to full server control
The attack starts with phishing emails sent from compromised accounts or via domains with misconfigured DMARC policies, which allows sender spoofing. A key aspect is that to trigger the exploit it is enough to simply open the email in the Roundcube client. The CVE-2024-42009 vulnerability is an XSS flaw with a CVSS score of 9.3 that makes it possible to execute arbitrary JavaScript code in the victim’s browser context.
According to the researchers, the attackers conducted prior reconnaissance of target organizations to determine which of them were running vulnerable versions of Roundcube. This points to a high level of preparation and a highly targeted campaign.
IceCube payload
After exploiting the XSS vulnerability, a JavaScript payload codenamed IceCube is delivered. Its functions include:
- Stealing credentials stored in the browser, including two‑factor authentication data and cookies
- Collecting environment information: browser language, screen size, values of form fields
- Exfiltrating the collected data to an external server via an HTTP POST request
- Using the session CSRF token to exploit the second vulnerability — CVE-2025-49113 (CVSS 9.9) — which enables remote code execution after authentication
The implementation of “deferred triggers” is notable: IceCube tracks page closure, tab switching, the cursor leaving the browser window, and intercepts the logout button. On any of these events, the malware repeatedly attempts to exploit CVE-2025-49113 and notifies the command server that the user session has ended.
Persistence on the server: SquareShell and VShell
Exploitation of CVE-2025-49113 is aimed at obtaining persistent access to the mail server. The primary method is deploying the SquareShell web shell in memory, accessible at the path:
plugins/newmail_notifier/mail_preview.php
This web shell provides arbitrary code execution on the server. If its installation fails, a fallback mechanism has been used since June 2026: a shell script is executed that downloads the ELF loader SNOWLIGHT, compatible with the target system’s architecture. SNOWLIGHT, in turn, delivers VShell — a remote administration tool written in Go and functionally similar to Cobalt Strike.
According to NVISO researchers, VShell provides a wide range of post‑exploitation capabilities and has been used by various groups believed to be linked to China.
Anti-forensics
Upon completion of all operations or when a timeout is reached, IceCube destroys both the user sessions and the maliciously created sessions on the server. This results in the user being forcibly logged out and removes traces of the compromise from the Roundcube server — a deliberate measure to impede investigation.
Threat context and attribution
According to Proofpoint researchers, the campaign is deliberately targeting administrators and professors of departments related to national security, as well as those working in astrophysics and particle physics. The use of generic lures in phishing emails reportedly suggests a broader set of targets beyond the researchers’ visibility.
The researchers assess that the attackers view Roundcube mail servers as an entry point into target networks — similar to how VPN concentrators and other edge devices are exploited. The infection chain is deliberately designed to evade detection.
It should be noted that attribution of the campaign to Chinese groups is based on data from a single vendor and has not been confirmed by independent sources. The association of the SNOWLIGHT and VShell toolset with specific activity clusters requires additional verification.
Impact assessment
The highest risk is faced by organizations running unpatched instances of Roundcube, primarily educational institutions, which traditionally have heterogeneous IT infrastructures and limited cybersecurity resources. The combination of two critical vulnerabilities with CVSS scores of 9.3 and 9.9 makes this attack chain exceptionally dangerous: from opening an email to full server control can take just a few seconds.
Compromise of a mail server gives attackers access to all of an organization’s correspondence, which, in the case of departments with ties to the national security field, creates risks of sensitive information leakage.
Security recommendations
- Update Roundcube to the latest version that addresses CVE-2024-42009 and CVE-2025-49113. Both vulnerabilities have patches — applying them is the top priority.
- Check for indicators of compromise: pay special attention to the file
plugins/newmail_notifier/mail_preview.php— its presence or modification may indicate a deployed SquareShell web shell. - Configure your DMARC policy with a
rejectorquarantinemode to prevent sender spoofing via your domains. - Implement monitoring of outbound HTTP POST requests from the mail server to external hosts — this is the main data exfiltration channel in the described campaign.
- Audit sessions on the mail server: anomalous mass session terminations may point to the anti‑forensics activity of IceCube.
- Consider network segmentation to limit the ability to use the mail server as an entry point into the rest of the infrastructure.
The UNK_MassTraction campaign demonstrates that mail servers remain a fully fledged vector for network intrusion, not just a means of delivering phishing emails. Organizations using Roundcube should immediately update their servers to current versions and check for the presence of the file plugins/newmail_notifier/mail_preview.php as a potential indicator of compromise. Mail infrastructure deserves the same level of protection as VPN gateways and other edge devices.