UNK_MassTraction: suspected China-aligned actor exploits Roundcube as an edge device, chaining CVE-2024-42009 XSS into CVE-2025-49113 deserialization
Proofpoint Threat Research documented UNK_MassTraction, a suspected China-aligned espionage cluster that since May 2026 has targeted physics and engineering departments at US and Canadian universities by exploiting Roundcube webmail as an edge device rather than phishing end users for credentials (Proofpoint, 2026-07-07). The initial vector is CVE-2024-42009, a Roundcube XSS that executes attacker JavaScript via the onanimationstart handler the moment a crafted email is opened in a vulnerable client — no attachment or link click required (T1566 delivery, T1203 client-side execution). That JavaScript loads IceCube, a Roundcube stealer that escapes the mail client's iframe by DOM traversal to reach the full DOM and the authenticated session, harvesting usernames, passwords, 2FA material and cookies; Proofpoint notes IceCube's verbose, well-commented code was likely produced with LLM assistance (Proofpoint, 2026-07-07).
IceCube then uses "helper" modules and the session's CSRF token to trigger CVE-2025-49113, a PHP object-deserialization flaw in Roundcube's handling of the embedded Crypt_GPG_Engine: a serialized gadget whose __destruct() passes _gpgconf into a shell-execution path lets the actor plant the SquareShell webshell into a plugin directory — timestomped to match a legitimate plugin — for remote code execution (T1190 server-side exploitation, T1505.003 web shell) (Proofpoint, 2026-07-07). A fallback channel introduced in June 2026 downloads an architecture-specific ELF loader that reflectively loads the publicly available VShell Go backdoor into memory (T1620), spoofing a kernel-worker process name; VShell's interactive shell and port-forwarding are the likely pivot into the target network. IceCube also installs "deferred triggers" that re-attempt exploitation if the user changes tabs or clicks logout, then destroys Roundcube sessions to force logout and remove forensic evidence. Attribution to a China-aligned actor rests on covert-VPS infrastructure reuse across China-aligned actors, Chinese-language build artifacts, and VShell tradecraft precedent (cited as tooling overlap, not the same actor) (Proofpoint, 2026-07-07).
The campaign uses an initial cross-site scripting (XSS) vulnerability to execute JavaScript inside of the victim browser.
IceCube will use what it calls “helpers” to exploit a second Roundcube vulnerability, a deserialization exploit (CVE-2025-49113) that abuses the parsing of the embedded Crypt_GPG_Engine to install a simple webshell we call SquareShell.
Chinese adversaries have previously used exploits against mailservers in a similar manner: treating them as edge devices to pivot into a target network.
Defender actions
- Verify every Roundcube instance — especially research/education and public-sector webmail — is patched against CVE-2024-42009 and CVE-2025-49113, and treat unpatched webmail as an internet-facing edge device on par with a VPN concentrator.
- Hunt the post-exploitation chain on Roundcube servers: unexpected PHP-upload-handler deserialization activity, webshell files planted in plugin directories (timestomped to match legitimate plugins), and Roundcube session termination bursts that force user logout and clear forensic state.
ATT&CK mapping
5 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
T1566Phishing
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Execution TA0002
T1203Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Persistence TA0003
T1505.003Server Software Component: Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
Stealth TA0005
T1620Reflective Code Loading
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.