Skip to content
Tech News
← Back to articles

Hackers exploit Roundcube flaw to spy on academic researchers

read original more articles

A China-linked threat cluster has been exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and deploy backdoor malware.

The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.

Researchers at cybersecurity company Proofpoint are tracking the activity under the name ‘UNK_MassTraction’ and believe to be associated with a new threat cluster.

The attack begins with a malicious email sent from compromised accounts or spoofed domains, using a generic lure.

Sample emails from the campaign

Source: Proofpoint

Opening the email in a vulnerable Roundcube webmail client triggers exploitation of a cross-site scripting flaw tracked as CVE-2024-42009, which executes JavaScript code inside the victim’s browser, loading a payload called IceCube.

According to the researchers, IceCube "is a fully-featured Roundcube stealer" that can harvest usernames, passwords, cookies, two-factor authentication (2FA) data, and browser information.

Proofpoint says that the malware uses "helpers" to exploit a Roundcube deserialization flaw tracked as CVE-2025-49113 and attempts to install SquareShell, a PHP webshell that includes remote code execution capabilities.

If successful, the attacker gains remote code execution on the mail server; otherwise, the malware downloads a shell script that loads another payload, VShell, directly in memory.

... continue reading