UNK_MassTraction infection chain| Image: Proofpoint
At a glance
| Actor | UNK_MassTraction — suspected China-aligned espionage cluster |
| Activity | Roundcube exploitation for credential theft, webshells, and the VShell backdoor |
| Targets | Physics and engineering departments at US and Canadian universities |
| Scale | Fewer than 10 confirmed victims; a few dozen possibly impacted (Proofpoint) |
| Law-enforcement status | No arrests or charges; victims notified with partners |
| Source | Proofpoint Threat Research |
TL;DR
Proofpoint is tracking a suspected China-aligned group named UNK_MassTraction. Since May 2026, it has abused Roundcube webmail flaws at US and Canadian schools. The goal appears to be quiet access to physics and engineering networks.
What happened
From email to browser
The attack starts with a simple email. A target opens it in an unpatched Roundcube webmail client. Hidden JavaScript then runs on its own. That code abuses CVE-2024-42009, a critical cross-site scripting bug. The whole chain fires the moment the email renders. The lure only has to get the target to open it. It needs no attachment and no fake login page. Also, the group used spoofed domains and hacked accounts. A stealer that Proofpoint calls IceCube takes over next. It grabs saved logins, cookies, and two-factor data. Earlier messages even hid Chinese-language traces in the HTML. Proofpoint says the stealer was “likely created with the help of a large-language model.”
Pivot to the server
IceCube does not stop at the browser. It then abuses CVE-2025-49113, a second critical flaw. That step plants a webshell that Proofpoint names SquareShell. The webshell copies a real plugin’s timestamp to blend in. If it fails, a fallback script loads a stager called SNOWLIGHT. That stager pulls the VShell backdoor into memory. IceCube also sets deferred triggers to keep the chain alive. Those triggers watch tab changes and the logout button. Finally, it wipes sessions to erase its tracks. Because of that, the group rarely loses its foothold.
Who is behind it
Proofpoint is cautious about who did it. It assesses UNK_MassTraction as “likely a China-aligned espionage motivated threat actor.” Several clues point that way. The phishing emails used covert servers tied to many China-aligned actors. The tooling also included VShell and Chinese-language clues. Other researchers link SNOWLIGHT and VShell to a China-nexus cluster, UNC5174. This also marks the first China-aligned actor tied to Roundcube abuse. Russian groups once favored that tactic. So the picture points firmly toward China.
Impact and scale
The campaign stays small but pointed. It targets professors and admins in physics and engineering teams. Many hold national security ties or study astrophysics. Proofpoint confirmed fewer than 10 victims so far. It also estimates a few dozen schools may be hit. The lures looked generic, which hints at a wider net. Still, the target list looks carefully chosen. Here, UNK_MassTraction treats mailservers as a pivot, not the prize. So it uses them as edge devices into wider networks. Proofpoint scanned for SquareShell and warned affected schools.
What comes next and how to stay protected
The campaign looks ongoing, and no charges have followed. Both flaws are patched, so updated Roundcube builds block them. Admins should patch fast and tighten DMARC against spoofed senders. Therefore, treat mailserver patches as urgent. Also watch for forced logouts that wipe server logs. Monitor Roundcube plugins for odd new files too. Proofpoint says “Defenders should prioritize defending the mailservers of their networks.” Treat webmail as an exposed edge, not a quiet backwater.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.