
Threat Advisory • Attack Report • TA2026190
UNK_MassTraction, a suspected China-aligned espionage cluster, sends phishing emails that abuse two n-day Roundcube Webmail flaws, CVE-2024-42009 and CVE-2025-49113, to deploy the IceCube stealer, the SquareShell webshell, the SNOWLIGHT loader, and the VShell backdoor — turning compromised university mail servers into a springboard deeper into higher-education networks in the United States and Canada.
Section 01
First observed in May 2026, UNK_MassTraction is a suspected China-aligned espionage cluster running phishing campaigns that abuse two n-day Roundcube Webmail vulnerabilities against Linux mail servers and web browsers. An initial cross-site scripting flaw, CVE-2024-42009, runs attacker JavaScript the moment a victim opens a malicious email, launching the IceCube stealer to grab webmail credentials, cookies, and two-factor authentication material.
IceCube then exploits a deserialization remote code execution flaw, CVE-2025-49113, to plant the SquareShell webshell or load the VShell backdoor in the mail server's memory, turning the compromised Roundcube server into a springboard into the target's wider network. The campaign is concentrated against Higher Education institutions in the United States and Canada, with a fallback chain that stages the SNOWLIGHT loader when the primary webshell fails to install.
Section 02
UNK_MassTraction opens each intrusion with phishing emails aimed at physics and engineering departments at major universities, favoring administrators and professors in groups tied to national security work or astrophysics and particle physics research. The messages use generic lures and are sent from compromised senders and from domains that can be spoofed because of weak DMARC policies. The exploit does not need the recipient to click anything: simply opening the message in a vulnerable Roundcube webmail client triggers CVE-2024-42009, a cross-site scripting flaw that runs attacker JavaScript through the onanimationstart handler. That JavaScript acts as a loader and pulls the next stage from a remote host.
The next stage is a full-featured stealer called IceCube. It escapes Roundcube's iFrame through DOM traversal, giving it reach across the whole browser and the authenticated webmail session. From there it collects stored usernames and passwords, two-factor authentication material, and cookies, and it fingerprints the browser by reading the language in use, screen size, and form field values. The harvested data is sent to the command-and-control server over an HTTP POST. IceCube then uses the session's CSRF token to weaponize a second flaw, CVE-2025-49113, a PHP object deserialization bug in Roundcube's Crypt_GPG_Engine parsing. It sends serialized PHP data containing a gadget that executes commands when deserialized, dropping a lightweight webshell named SquareShell at the endpoint plugins/newmail_notifier/mail_preview.php. The webshell is timestomped with the modified time of a legitimate plugin so it blends into the environment.
The chain is built to keep moving even when a step fails. If the webshell does not install, a fallback introduced in June 2026 downloads a shell script that stages an architecture-specific ELF loader tracked as SNOWLIGHT, fetches the matching payload from the command-and-control server, and runs it with nohup. IceCube also sets up deferred triggers that watch for the user closing the page, switching tabs, moving the mouse out of the browser window, or clicking logout. When any of those happen, IceCube re-attempts the CVE-2025-49113 exploit and beacons that the user has left the session. Once its work is done or a timeout is reached, it destroys the user and malware sessions on the server, logging the victim out and wiping forensic evidence from the Roundcube host.
Stolen credentials and reconnaissance data leave the environment over the same HTTP channel back to the command-and-control server. On the server side, the SNOWLIGHT loader first checks for a lock file at /tmp/log_de.log to avoid running twice, spoofs the process name [kworker/0:2] to look like a kernel worker, beacons over a socket, and loads the VShell backdoor entirely in memory using fexecve(). VShell is a publicly available Go implant with capabilities comparable to Cobalt Strike; its interactive shell and port-forwarding features are the most likely tools the operators would use to pivot from the compromised mail server deeper into the university network. Infrastructure overlaps, the reuse of SNOWLIGHT and VShell, and Chinese-language artifacts in earlier emails point to a China-aligned, espionage-motivated actor treating the mail server as an edge device for network access rather than as the end target.
Section 03
| CVE ID | Name | Affected Product |
|---|---|---|
CVE-2024-42009 |
Roundcube Webmail Cross-Site Scripting Vulnerability | Roundcube Webmail |
CVE-2025-49113 |
Roundcube Webmail Deserialization of Untrusted Data Vulnerability | Roundcube Webmail |
Section 04
Patch Roundcube to a Fixed Release
Upgrade every Roundcube instance to 1.6.11 or 1.5.10 (or later), which close both CVE-2024-42009 and CVE-2025-49113, and treat any server below these versions as exposed.
Block Known Command-and-Control Infrastructure
Add the listed IceCube and VShell IPs, delivery URLs, and sslip.io endpoints to network blocklists and alert on any outbound connections to them.
Reset Exposed Credentials and Sessions
Force password resets, invalidate active Roundcube sessions, and rotate two-factor secrets for any account on a potentially compromised server, since IceCube harvests credentials, cookies, and 2FA material.
Tighten Email Authentication
Enforce a strict DMARC policy (p=reject) with validated SPF and DKIM to blunt the sender spoofing this actor relies on for delivery.
Scan Linux Hosts for the VShell Loader
Look for the lock file /tmp/log_de.log, processes masquerading as [kworker/0:2], and in-memory execution via fexecve(), which indicate the SNOWLIGHT loader and the VShell backdoor.
Treat Mail Servers as Edge Devices
Monitor, log, and harden internet-facing webmail with the same rigor applied to VPN concentrators and other remote-access nodes.
Section 05
Section 06
| Type | Value |
|---|---|
jpcontreras[@]newfield[.]cl | |
| IPv4 |
45[.]150[.]109[.]151194[.]213[.]18[.]13345[.]86[.]229[.]111
|
| URLs |
hxxps[:]//45[.]150[.]109[.]151[.]sslip[.]io[:]23088/app/js/jquery[.]min[.]jshxxps[:]//194[.]213[.]18[.]133[.]sslip[.]io[:]23088/app/js/jquery[.]min[.]jshxxps[:]//45[.]150[.]109[.]151[.]sslip[.]io[:]23088hxxps[:]//194[.]213[.]18[.]133[.]sslip[.]io[:]23088hxxp[:]//45[.]86[.]229[.]111/slw[:]8080
|
| SHA256 | a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0 |
Section 07