// 1 ZERO-DAY · 1 CVE · 1 EXPLOIT IN THE LAST 24H
Proofpoint has identified UNK_MassTraction, a suspected Chinese cluster, exploiting two Roundcube N-day vulnerabilities to compromise webmail servers at US and Canadian universities, targeting physics and engineering departments with national security ties.

Editor's note: All technical details derive from a single Proofpoint report; secondary sources confirm only the disclosure. The attribution to Chinese operators is explicitly assessed by Proofpoint as "only an assessment and decidedly not high confidence."

Proofpoint disclosed on July 7, 2026 an active cyber espionage campaign running since May against Roundcube servers at US and Canadian universities. The cluster tracked as UNK_MassTraction compromised internet-exposed webmail servers, specifically targeting physics and engineering departments with links to national security. The technical analysis documents a multi-stage infection chain that turns a cross-site scripting vulnerability into remote code execution.

Key Takeaways
  • UNK_MassTraction, a suspected Chinese cluster, has been active since May 2026 against US and Canadian universities.
  • The attack chain exploits CVE-2024-42009 (CVSS 9.3) and CVE-2025-49113 (CVSS 9.9), both in CISA's KEV catalog.
  • The IceCube JavaScript payload implements deferred triggers that retry exploitation upon user actions.
  • If the SquareShell web shell deployment fails, the chain falls back to SNOWLIGHT to execute the VShell backdoor in memory, a mechanism introduced in June 2026.

FACT: The Dual Exploit Chain

Initial access occurs via malicious emails sent from compromised senders or spoofed domains with weak DMARC policies, as documented by Proofpoint. The recipient need only open the message in a vulnerable Roundcube client: CVE-2024-42009, a cross-site scripting flaw rated CVSS 9.3 per the NVD record, executes the JavaScript payload dubbed IceCube.

IceCube leverages the onanimationstart event to activate and steals credentials and CSRF tokens via HTTP POST. With the stolen session token, the attacker triggers CVE-2025-49113, a PHP deserialization vulnerability rated CVSS 9.9 per NVD, in the file program/actions/settings/upload.php. The combination enables authenticated remote code execution on the server.

IceCube intercepts specific user events — page close, tab switch, cursor leaving the browser area, logout click — and retries exploitation of CVE-2025-49113 should the first attempt fail. Upon completion, it destroys sessions to erase forensic traces. Proofpoint documents this mechanism as "deferred triggers."

FACT: Payload, Web Shell, and In-Memory Backdoor

Upon successful deserialization, the attacker deploys SquareShell, a PHP web shell placed at plugins/newmail_notifier/mail_preview.php with altered timestamps to evade timeline analysis. The shell is remotely accessible and provides persistent access to the compromised server.

Starting in June 2026, according to Proofpoint, the chain acquired a fallback mechanism. If SquareShell deployment fails, a shell script downloads the SNOWLIGHT ELF loader to execute VShell in memory, a Go-written backdoor that provides an interactive shell and port forwarding. VShell has been observed in operations by suspected Chinese actors, though Proofpoint notes the absence of data directly linking UNK_MassTraction to the UNC5174 cluster or other known adversaries.

Proofpoint also identifies stylistic markers in the IceCube code suggesting the assistance of a language model during development.

FACT: Documented Targets and Motivation

The campaign does not strike indiscriminately: Proofpoint documents the targeting of administrators and professors in departments with national security ties or active in astrophysics and particle physics. The researchers state that "the actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately built their infection chain to avoid detection."

"The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately built their infection chain to avoid detection."
— Greg Lesnewich and Mark Kelly, Proofpoint

FACT: Attribution and Its Limits

Proofpoint places UNK_MassTraction among clusters suspected of Chinese origin based on three indicators: infrastructure overlap with a covert VPS network associated with multiple China-linked actors; Chinese-language artifacts in the initial phishing emails; and the characteristic tactical choice of targeting internet-exposed mail servers. BleepingComputer reports the researchers' explicit caveat: "the attribution in this case is only an assessment and decidedly not high confidence."

The dossier does not establish whether UNK_MassTraction represents an emerging actor or the rebranding of an existing group. No infrastructure overlaps linking the cluster to UNC5174 have emerged to date, despite the use of SNOWLIGHT and VShell in both contexts.

What to Do Now

  • Verify application of Roundcube patches 1.5.10/1.6.11 or later for CVE-2025-49113, and 1.5.8/1.6.8 or later for CVE-2024-42009, both in CISA's KEV catalog.
  • Inspect the path plugins/newmail_notifier/mail_preview.php for unauthorized web shells.
  • Review institutional domain DMARC policies to reduce the effectiveness of initial spoofing.
  • Monitor access logs to program/actions/settings/upload.php for anomalous activity from authenticated sessions.

ANALYSIS: The Academic Context

The campaign fits a recurring pattern of targeting internet-exposed email infrastructure. Proofpoint notes that "Chinese operators will continue to treat them like any other perimeter device." The choice of Roundcube reflects its prevalence as self-hosted open-source webmail in environments with limited security resources.

Proofpoint researchers close with an ironic but precise warning: "While this campaign's targeting may capture the imagination, it is unlikely that UNK_MassTraction will resolve deep theoretical physics questions or the Fermi Paradox anytime soon." The quip underscores that the objective is network access, not the scientific content of emails.

Sources: Proofpoint via The Hacker News (2026-07-07); BleepingComputer (2026-07-07); InfoSecurity Magazine (2026-07-07); HackRead (2026-07-07); GBHackers (2026-07-07); NVD CVE-2024-42009; NVD CVE-2025-49113.

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. bleepingcomputer.com
  3. infosecurity-magazine.com
  4. hackread.com
  5. gbhackers.com
  6. nvd.nist.gov
  7. helpx.adobe.com