Proofpoint links UNK_MassTraction to phishing Roundcube hacks at US and Canadian universities
A Proofpoint researcher says targets were likely “a few dozen” universities, with ongoing exploitation of Roundcube flaws.

Proofpoint threat researchers say suspected China-aligned spies, tracked as UNK_MassTraction, have been breaking into major US and Canadian universities since May via vulnerabilities in Roundcube mailservers. The intrusions relied on phishing and multiple Roundcube exploits, including one that installs remote webshell access, making university IT and risk leaders act now.
Suspected China-aligned cyber spies have been breaking into major US and Canadian universities since May by exploiting Roundcube mailserver vulnerabilities, Proofpoint says. The crew is tracked as UNK_MassTraction, and Proofpoint principal threat research engineer Greg Lesnewich told The Register it directly observed intrusions targeting “less than 10” universities. Lesnewich added that Proofpoint “estimate[s] the total volume of targets would be a few dozen universities,” while stressing that this is “at best a guess, not substantiated by our data.” The most recent sighting, Proofpoint says, occurred in early June, and it believes “the campaign is ongoing.”
This matters because the access path is not just “open a sketchy link.” It is open a message, in the context of the university's webmail session, and watch a chain of server-side exploitation happen. Proofpoint describes the initial access as requiring that the email be opened in the mail client of a vulnerable Roundcube instance, leveraging CVE-2024-42009, a cross-site scripting vulnerability in Roundcube that only requires that the email is opened in the mail client to achieve access to the server. Once that happens, a JavaScript loader executes from the message body and enables the attacker to remotely deliver a stealer called IceCube.
Proofpoint’s reporting paints a classic espionage setup: focus on departments where intelligence value is higher. Lesnewich said the compromise activity targets physics and engineering administrators and professors. The email security shop also says UNK_MassTraction focuses on individuals in departments with national security ties, and it zeroes in on astrophysics and particle physics, which are exactly the kind of areas Beijing has reasons to gather on in peacetime. In other words, this is not random campus noise. It is targeted data theft where the data itself is the point.
To understand why this attack chain sticks, you have to follow the exploit choreography Proofpoint lays out. It begins with phishing. Proofpoint says it found phishing emails sent to university departments from both compromised legitimate senders and abused domains vulnerable to spoofing. The lures are described as generic, sometimes purporting to be university marketing messages. Proofpoint also notes something that is easy for boards to miss: the generic nature “could imply a larger targeting swath” than the “less than 10” universities Proofpoint directly observed. It also says the actor may be betting that recipients open the email but do not investigate it, and that “is still sufficient for the actor to gain access.”
Opening the email triggers CVE-2024-42009. Proofpoint says the bug abuses a desanitization issue and can allow remote attackers to steal and send messages. After the user opens the email in the webmail client on a vulnerable Roundcube instance, the JavaScript loader runs. That loader deploys IceCube, which Proofpoint says escapes Roundcube’s iFrame instantiation using DOM traversal. That escape matters because it gives the stealer access to the full Document Object Model (DOM) and the Roundcube authentication session in the browser. Then IceCube steals usernames, passwords, session tokens, and cookies, and performs reconnaissance, collecting info on language in use, screen size, and form field values. Proofpoint says the stealer sends the initial data to command-and-control servers via HTTP POST.
The next step is where the campaign moves from “steal credentials” to “take control.” Proofpoint says IceCube uses the session’s CSRF token to set up gadgets to exploit another Roundcube vulnerability. This second flaw is a deserialization exploit tracked as CVE-2025-49113. With that, Proofpoint says attackers install a webshell called SquareShell, enabling remote code execution, plus a VShell implant. Proofpoint says it scanned for SquareShell on compromised servers and coordinated with government and industry partners to notify identified victims. It also reports that as of June, attackers introduced a fallback channel in case the original webshell deployment did not work. Previously, Proofpoint says, if the webshell did not execute, the attack chain would fail.
Proofpoint says the fallback channel runs a shell script to set up execution of another loader Google tracks as SnowLight. Proofpoint notes the shell script “has been used in other exploit-driven intrusions by Chinese adversaries,” likely indicating a privately shared capability. It also reports “several cases” where VPS IP addresses appear in phishing email headers, tied to a “covert infrastructure network likely used by multiple China-aligned threat actors.” Combining this infrastructure access, low-volume targeting of US and Canadian universities, VShell usage, and Chinese-language artifacts within the phishing emails, Proofpoint says it assesses UNK_MassTraction is “likely a China-aligned espionage motivated threat actor” with “moderate operational security awareness.”
There is also a “similar but not confirmed” thread that risk teams should care about. Proofpoint says the espionage activity is similar to an earlier campaign Trellix disclosed, which used a filename parsing vulnerability to deliver VShell malware and included a Go-based backdoor used by Chinese APT groups for remote access and post-exploitation control. But Proofpoint says it cannot definitely link that earlier activity to UNK_MassTraction. That ambiguity matters operationally: even if your org is clean of this specific chain, the broader pattern is that Roundcube and adjacent server-side surfaces remain attractive for stealthy, credential-enabled, webshell-capable intrusion paths.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Science
USDA confirmed June 3 New World screwworm case. Here’s how to protect pets
A first US case means more vigilance, faster wound checks, and prevention steps shelters can standardize now.
Spanish manufacturers get productivity lift from robots, but exports stay flat without local markets
A UOC study finds automation boosts output inside SMEs, while export gains depend more on regional localization than robots.
University of Osaka probes Alzheimer's-linked lipids at single-cell resolution in tissues
A new Analytical Chemistry technique aims to map cell-by-cell lipid differences that could clarify disease onset and spread.

