Hackers exploit Roundcube flaw to spy on academic researchers
China-linked hackers exploit Roundcube flaw to steal credentials and deploy malware.
Summary
A China-linked threat cluster, tracked as UNK_MassTraction, is exploiting a cross-site scripting flaw (CVE-2024-42009) in vulnerable Roundcube webmail servers at U.S. and Canadian universities. The attackers aim to steal credentials and deploy backdoor malware like IceCube and SquareShell, targeting physics, engineering, and national security research departments.
Full text
Hackers exploit Roundcube flaw to spy on academic researchers By Bill Toulas July 8, 2026 02:56 PM 1 A China-linked threat cluster has been exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and deploy backdoor malware. The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research. Researchers at cybersecurity company Proofpoint are tracking the activity under the name ‘UNK_MassTraction’ and believe to be associated with a new threat cluster. The attack begins with a malicious email sent from compromised accounts or spoofed domains, using a generic lure. Sample emails from the campaignSource: Proofpoint Opening the email in a vulnerable Roundcube webmail client triggers exploitation of a cross-site scripting flaw tracked as CVE-2024-42009, which executes JavaScript code inside the victim’s browser, loading a payload called IceCube. According to the researchers, IceCube "is a fully-featured Roundcube stealer" that can harvest usernames, passwords, cookies, two-factor authentication (2FA) data, and browser information. Proofpoint says that the malware uses "helpers" to exploit a Roundcube deserialization flaw tracked as CVE-2025-49113 and attempts to install SquareShell, a PHP webshell that includes remote code execution capabilities. If successful, the attacker gains remote code execution on the mail server; otherwise, the malware downloads a shell script that loads another payload, VShell, directly in memory. VShell is a commodity Go-based backdoor that supports interactive shell access and port forwarding, which is commonly used by Chinese threat actors. Overview of the attack flowSource: Proofpoint Based on several observations, Proofpoint assesses that UNK_MassTraction is likely a China-aligned espionage actor. First, the infrastructure used in the attacks overlaps with a covert VPS network previously associated with multiple China-linked actors. Another clue is the presence of Chinese-language artifacts in earlier phishing emails. Finally, the tactic of targeting internet-facing mail servers as a foothold for accessing internal networks is a hallmark of Chinese attacks. Taking everything into account, Proofpoint emphasizes that attribution in this case is just an assessment and definitely not a high-confidence one. An interesting finding regarding the specific targeting of this campaign is that UNK_MassTraction appears to have selected servers previously deemed vulnerable to CVE-2024-42009 and CVE-2025-49113, so some reconnaissance was performed prior to the attacks. Administrators of Roundcube systems are advised to apply the latest security updates that address the two flaws and treat mail servers with the same diligence they show for VPNs and other remote access nodes. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: CISA orders feds to prioritize patching Langflow auth bypass flawCritical Langflow RCE flaw exploited to hack AI app serversCISA warns of max severity Ubiquiti flaws exploited in attacksMax severity Adobe ColdFusion flaw now exploited in attacksOver 900 Oracle E-Business instances exposed to ongoing attacks
Indicators of Compromise
- cve — CVE-2024-42009
- cve — CVE-2025-49113
- malware — IceCube
- malware — SquareShell
- malware — VShell