2026-07-09 · view entry permalink →
UNK_MassTraction: suspected China-aligned actor exploits Roundcube as an edge device, chaining CVE-2024-42009 XSS into CVE-2025-49113 deserialization
Proofpoint Threat Research documented UNK_MassTraction, a suspected China-aligned espionage cluster that since May 2026 has targeted physics and engineering departments at US and Canadian universities by exploiting Roundcube webmail as an edge device rather than phishing end users for credentials (Proofpoint, 2026-07-07). The initial vector is CVE-2024-42009, a Roundcube XSS that executes attacker JavaScript via the onanimationstart handler the moment a crafted email is opened in a vulnerable client — no attachment or link click required (T1566 delivery, T1203 client-side execution). That JavaScript loads IceCube, a Roundcube stealer that escapes the mail client's iframe by DOM traversal to reach the full DOM and the authenticated session, harvesting usernames, passwords, 2FA material and cookies; Proofpoint notes IceCube's verbose, well-commented code was likely produced with LLM assistance (Proofpoint, 2026-07-07).
IceCube then uses "helper" modules and the session's CSRF token to trigger CVE-2025-49113, a PHP object-deserialization flaw in Roundcube's handling of the embedded Crypt_GPG_Engine: a serialized gadget whose __destruct() passes _gpgconf into a shell-execution path lets the actor plant the SquareShell webshell into a plugin directory — timestomped to match a legitimate plugin — for remote code execution (T1190 server-side exploitation, T1505.003 web shell) (Proofpoint, 2026-07-07). A fallback channel introduced in June 2026 downloads an architecture-specific ELF loader that reflectively loads the publicly available VShell Go backdoor into memory (T1620), spoofing a kernel-worker process name; VShell's interactive shell and port-forwarding are the likely pivot into the target network. IceCube also installs "deferred triggers" that re-attempt exploitation if the user changes tabs or clicks logout, then destroys Roundcube sessions to force logout and remove forensic evidence. Attribution to a China-aligned actor rests on covert-VPS infrastructure reuse across China-aligned actors, Chinese-language build artifacts, and VShell tradecraft precedent (cited as tooling overlap, not the same actor) (Proofpoint, 2026-07-07).
The campaign uses an initial cross-site scripting (XSS) vulnerability to execute JavaScript inside of the victim browser.
IceCube will use what it calls “helpers” to exploit a second Roundcube vulnerability, a deserialization exploit (CVE-2025-49113) that abuses the parsing of the embedded Crypt_GPG_Engine to install a simple webshell we call SquareShell.
Chinese adversaries have previously used exploits against mailservers in a similar manner: treating them as edge devices to pivot into a target network.