Proofpoint has identified a suspected China-aligned threat actor exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and gain persistent access.
Rather than targeting email content alone, the campaign appears designed to use compromised mail servers as an entry point into broader institutional networks.
Proofpoint tracks the activity cluster as UNK_MassTraction, a temporary designation used for emerging threat clusters that have not yet been assigned a formal threat actor identifier.
Since May 2026, the group has targeted physics and engineering departments, particularly those involved in astrophysics, particle physics, and research with national security connections.
Key Takeaways of the Proofpoint Research
- A suspected China-aligned threat actor exploited multiple Roundcube vulnerabilities to steal credentials and establish persistent access to university mail servers.
- The campaign targeted vulnerable Roundcube servers at U.S. and Canadian universities, using compromised mail servers as a gateway into broader institutional networks.
- Attackers combined credential theft, webshell deployment, and the VShell backdoor to maintain access while employing multiple techniques to evade detection.
How Roundcube vulnerabilities enabled multi-stage attacks
The campaign exploits multiple previously disclosed Roundcube vulnerabilities to compromise webmail servers.
The attack begins with CVE-2024-42009, a cross-site scripting (XSS) flaw that allows malicious JavaScript to execute when a victim simply opens a specially crafted email in a vulnerable Roundcube webmail client.
Once executed, the JavaScript loader deploys a credential-stealing payload that Proofpoint calls IceCube.
The malware collects usernames, passwords, session cookies, two-factor authentication material, and browser reconnaissance data before transmitting the information to command-and-control (C2) infrastructure.
IceCube then leverages a second vulnerability, CVE-2025-49113, to gain server-side access by exploiting a deserialization flaw.
Depending on the environment, the malware either installs a webshell known as SquareShell or loads the VShell backdoor directly into memory, providing attackers with persistent access while minimizing forensic evidence.
Proofpoint noted that the malware appears intentionally engineered to evade detection by cleaning up browser artifacts, monitoring user activity, retrying failed exploitation attempts, and destroying active sessions after compromise.
Why universities were targeted in the Roundcube campaign
Although the phishing lures were generic, Proofpoint believes the campaign’s targets were anything but random.
The researchers observed attacks against physics and engineering departments at major U.S. and Canadian universities that were running vulnerable versions of Roundcube.
This suggests the threat actor conducted reconnaissance before launching the campaign to identify organizations susceptible to the exploits.
While the emails primarily targeted professors and administrators, Proofpoint noted that the exploit only required recipients to open the email in a vulnerable Roundcube webmail client.
As a result, the specific recipient may have been less important than gaining access to the underlying mail server.
How attackers use mail servers as network pivot points
Unlike attacks focused on stealing email content, UNK_MassTraction appears to treat mail servers as network edge devices that provide an opportunity to move deeper into victim environments.
VShell, the publicly available backdoor deployed during some infections, supports interactive command execution and port forwarding, capabilities commonly used to pivot through compromised networks.
Proofpoint noted that several China-aligned threat groups have previously adopted VShell during intrusions targeting Linux, Windows, and macOS systems.
The researchers also observed mature operational security throughout the campaign.
This included timestomping webshells to blend into legitimate files, fallback mechanisms to maintain the infection chain if exploitation failed, and extensive logging designed to help operators troubleshoot unsuccessful compromises.
How defenders should secure Roundcube mail servers
The campaign highlights why internet-facing mail servers require the same level of protection as VPN gateways and other remote access infrastructure.
Organizations running Roundcube should apply available patches and monitor webmail environments for unusual authentication activity.
They should also inspect systems for unauthorized webshells and review server logs for evidence of exploitation attempts.
Security teams should also implement phishing-resistant multifactor authentication, continuously monitor privileged accounts, and restrict administrative access.
Proofpoint assesses with moderate confidence that UNK_MassTraction is a China-aligned espionage group based on its infrastructure, use of VShell, targeting patterns, and Chinese-language artifacts observed during the campaign.
The research serves as a reminder that email infrastructure remains an attractive target for advanced threat actors.
As attackers continue targeting internet-facing infrastructure, organizations are implementing Zero Trust solutions to continuously verify identities, enforce least-privilege access, and reduce the risk of lateral movement.





