A suspected China-aligned threat cluster has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada to steal credentials and establish network access.
New research from Proofpoint, published on June 7, tracked the activity under the name UNK_MassTraction and found that attackers were targeting physics and engineering departments at academic institutions with potential links to national security.
Proofpoint assessed that the attackers likely selected these organizations after identifying vulnerable Roundcube instances.
The campaign used multiple known Roundcube vulnerabilities to compromise mail servers, using stolen credentials and server access as a pathway into victim networks rather than focusing solely on email data theft.
The activity follows previous campaigns in which China-aligned operators exploited internet-facing infrastructure to gain access to targeted organizations, including attacks involving vulnerable edge devices and public-facing applications.
Roundcube Servers Used as Network Entry Points
Proofpoint found that UNK_MassTraction used phishing emails containing malicious content designed to exploit CVE-2024-42009, a cross-site scripting (XSS) vulnerability in Roundcube.
When executed in a vulnerable webmail client, the exploit allowed JavaScript to run in the victim's browser.
The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data. The malware also gathered information about victims’ environment and used the stolen session data to continue the compromise.
The firm observed the attackers using a range of techniques during the infection chain, including:
-
Credential theft through malicious JavaScript payloads
-
Server-side exploitation of vulnerable Roundcube components
-
Deployment of webshells for remote access
-
Memory-based execution of the VShell backdoor
Attackers Deploy VShell For Follow-On Access
After gaining access to Roundcube servers, UNK_MassTraction exploited CVE-2025-49113, a deserialization vulnerability, to deploy a webshell or install the VShell backdoor in memory.
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments. The malware provides interactive shell access and port-forwarding capabilities that can help attackers move deeper into compromised networks.
The firm assessed that UNK_MassTraction was likely conducting espionage-focused operations based on its targeting, infrastructure links and the presence of Chinese language artifacts in some phishing emails.
"The campaign is a reminder that email delivery can facilitate compromise of mail servers, and that Chinese operators will continue to treat them like any other edge device," Proofpoint warned.
"Defenders should prioritize defending the mail servers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks."
