Cyber Security

Suspected China-Linked Hackers Are Exploiting Roundcube Flaws Against Universities

A cluster of China-linked threat activities has been spotted using the Roundcube webmail software for physics and engineering departments at US and Canadian universities as part of a new campaign.

The work involves exploiting now-patched, critical security flaws in an open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to remove credentials, followed by deployment of a web shell for persistent access or a known exploit tool called VShell.

The emerging threat cluster is followed by Proofpoint under the moniker NK_MassTraction. It was first discovered in May 2026, with a focus on administrators and professors in departments with national security ties or organizations studying astrophysics and particle physics.

“Emails targeting university departments used both vulnerable senders, and victimized domains are at risk of being taken down due to the laxity of the DMARC policy for sending emails,” the security firm wrote in a technical report shared with The Hacker News, adding that the use of common threads shows “a large targeting mechanism” without its visibility.

Although the nature of the cross-site scripting (XSS) exploit is that it only requires the recipient to open the email in a Roundcube client to gain access to the mail server, it is considered that the target departments were chosen because they were all running versions of Roundcube that were vulnerable to the N-day security.

This indicates that a threat actor may perform a systematic probe on these targets to gather information about their locations before sending phishing emails that trigger the CVE-2024-42009 exploit and execute malicious JavaScript code in the victim’s web browser context.

“An actor is likely to abuse Roundcube’s servers as an entry point into target networks, and the operators will deliberately build their infection chain to avoid detection,” said Proofpoint researchers Greg Lesnewich and Mark Kelly.

The payload delivered following the XSS exploit, codenamed IceCube, is designed to extract authentication information stored in the browser as well as two-factor authentication (2FA) and cookies. It also creates its own information to collect information about browser language, screen size, and form field values. screen size, and form field values.

The harvested information is sent to the external system via an HTTP POST request. In the next step, IceCube uses the CSRF session token to exploit the second remote code release bug after Roundcube – CVE-2025-49113 (CVSS score: 9.9) – in order to gain access to the mail server and launch a web VShell called Square shell.

The web shell, implemented with the PHP gadget shell command, is remotely accessible at the end of “plugins/newmail_notifier/mail_preview.php” and enables arbitrary code execution. However, if the web shell installation fails for some reason, the chain of attack goes back to another way where a shell script is used through the Roundcube vulnerability to finally launch VShell.

The second method is said to have been launched in June 2026, where previously a series of attacks had simply exited when it failed to deploy SquareShell. The shell script serves as a pipeline for an ELF loader called SNOWLIGHT and has been used in other interventions planned by Chinese enemies. Uses of both SNOWLIGHT and VShell have been linked to a Chinese-linked cluster tracked as UNC5174 in the past.

This suggests that the shell script may be shared by multiple China-nexus clusters in a private environment, such as ShadowPad and other tools. The primary responsibility of the script is to download the version of SNOWLIGHT that matches the host system architecture and execute it.

“IceCube also creates what it calls ‘delayed triggers’ to ensure continuity of the chain of infection,” Proofpoint said. “Delayed triggers monitor when the user closes the page or switches tabs, checks if the mouse leaves the browser window, and steals the exit button.”

“If any of those actions are taken, IceCube logs those events, and retries the CVE-2025-49113 exploit, with beacons in C&C. [command-and-control] that the user has left the Roundcube session.”

After completing these actions or during a timeout, the JavaScript malware destroys the user’s sessions and the malware on the server, causing the user to log out and delete scientific evidence related to the corruption from the Roundcube server.

Written in Go, VShell is a remote administration tool that provides post-compromise capabilities similar to Cobalt Strike. It has been used by various adversaries aligned with China in recent years.

The development marks the first time a Chinese hacker group has been arrested for exploiting vulnerabilities in Roundcube, which has been exploited by state-sponsored threat actors from Russia.

“Although the mission’s findings are impressive, it is unlikely that UNK_MassTraction will solve deep questions of theoretical physics or the Fermi Paradox anytime soon,” the Proofpoint researchers concluded.

“UNK_MassTraction has demonstrated a mature toolkit and a unique use of n-day vulnerabilities. This campaign is a reminder that email delivery can make it easy to compromise a mail server, and that Chinese operators will continue to treat them like any other edge device, so defenders should prioritize protecting their network’s email servers as well as properly targeting their remote novices from their network’s reach for VPN.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button