[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPuHADadcmnqqJCj-wAOa3CxC1vNA6ZKoSCCmdNF0e-w":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"7bd204fc-ba44-4c8c-b757-fda0638ab5c3","UNK_MassTraction Exploits Roundcube Flaws Against US, Canadian Universities","unk-masstraction-exploits-roundcube-flaws-against-us-canadian-universities-ddf91f","China-linked UNK_MassTraction targets US and Canadian universities through Roundcube flaws, stealing sessions and opening access to research mail servers.","A suspected China-aligned espionage group, UNK_MassTraction, is targeting US and Canadian universities by exploiting Roundcube vulnerabilities. The campaign, active since May 2026, focuses on physics and engineering departments with sensitive research, aiming to steal session data and gain access to research mail servers.","China-linked UNK_MassTraction targets US\u002FCanadian universities via Roundcube flaws.","Security Phishing ScamUNK_MassTraction Exploits Roundcube Flaws Against US, Canadian Universities China-linked UNK_MassTraction targets US and Canadian universities through Roundcube flaws, stealing sessions and opening access to research mail servers. byWaqasJuly 8, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Proofpoint has identified a suspected China-aligned espionage group targeting vulnerable Roundcube mail servers at universities in the US and Canada, with activity focused on physics and engineering departments associated with sensitive research. The operation has specifically focused on administrators and professors in departments with national security ties or in departments that study astrophysics and particle physics. The firm tracks the group as UNK_MassTraction, and the campaign has been active since May 2026. How the Attack Works The emails abuse CVE-2024-42009, a cross-site scripting vulnerability in Roundcube’s HTML sanitization. When the email is opened in a vulnerable Roundcube webmail client, an onanimationstart event can trigger embedded JavaScript, which then loads an external JavaScript file and sets the attack chain in motion. Proofpoint refers to this JavaScript as IceCube. Once loaded, it collects credentials, cookies, and other browser session data. According to researchers, comments found throughout the code suggest that a large language model may have helped create it. IceCube then uses the stolen session data to prepare the next set of attack components. The next stage abuses CVE-2025-49113, a deserialization vulnerability in the Crypt_GPG component. Successful exploitation installs SquareShell, a PHP web shell placed in a plugin-like path with altered timestamps to help it avoid notice. In their blog post shared with Hackread.com, researchers noted that operators are also deploying VShell, a Go-based backdoor loaded directly into memory without writing files to disk. The company has linked VShell to earlier China-linked activity. Another noteworthy aspect of the campaign is the fact that attackers are also using built-in cleanup and persistence steps to keep the chain moving. After running, the code clears traces from local storage, closes active sessions, and checks whether the machine has already been infected, for example by looking for a marker file in the temporary directory. Once the attackers reached the mail servers, they gained access inside university environments, giving them room to look for other connected systems. What’s worse, the emails were also harder to dismiss because they came from accounts and domains the attackers had already taken over. Email content (Image: Proofpoint) Researchers also found some parts of the code include Chinese-language strings, and the command infrastructure matches patterns seen in similar activity. The operators also appear to have built the tooling with their own troubleshooting in mind, adding logging and several fallback options in case one route failed. Install Patches and Protect Your Organization Organizations that expose Roundcube to the internet should confirm patches are in place. Mail server logs and web directory changes should also be reviewed, especially for signs of new or modified files. Proofpoint also shared IP addresses, file hashes, and URLs that defenders can use to check their own environments. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts CanadaChinaCyber AttackCyber CrimeCybersecurityPrivacyRoundcubesecurityUniversityUNK_MassTractionUSAVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Cyber Crime Privacy Security Operation BULUT: Encrypted Chats from Sky ECC, ANOM Lead to 232 Arrests Intelligence from encrypted platforms like Sky ECC and ANOM has led to the arrest of 232 individuals and… byDeeba Ahmed Malware Scams and Fraud Security New malware in pirated games disables Windows Updates, Defender Dubbed Crackonosh by researchers; the malware uses the victim's computer resources to mine cryptocurrencies for its developers. byWaqas Security The 10 Best Cybersecurity Companies in the UK Discover the best cybersecurity companies to protect your business, and learn how to find the top ones that… byOwais Sultan Security Researchers condemn unsubstantiated WhatsApp “Backdoor” story by Guardian The Guardian, a well known UK-based newspaper, is being heavily criticized by security researchers for publishing an unverified… byRyan De Souza","https:\u002F\u002Fhackread.com\u002Funk-masstraction-roundcube-us-canada-universities\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002Funk-masstraction-hackers-roundcube-us-canada-universities-1.png","2026-07-08T11:54:48+00:00","2026-07-08T12:00:34.822694+00:00",9,[18,21,24],{"name":19,"type":20},"UNK_MassTraction","threat_actor",{"name":22,"type":23},"Roundcube","product",{"name":25,"type":26},"PHP web shell","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":27,"icon":29,"name":30,"slug":31},null,"Nation-state","nation-state",[33,38,40,45],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":39},{"id":27,"icon":29,"name":30,"slug":31},{"category":41},{"id":42,"icon":29,"name":43,"slug":44},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":46},{"id":47,"icon":29,"name":48,"slug":49},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[51,55],{"type":52,"value":53,"context":54},"cve","CVE-2024-42009","Cross-site scripting vulnerability in Roundcube exploited to trigger JavaScript.",{"type":52,"value":56,"context":57},"CVE-2025-49113","Deserialization vulnerability in Crypt_GPG component used for malware installation."]