UNK_MassTraction Chains Roundcube N-Days to Pivot into University Networks

Red | Attack
Download Now
UNK_MassTraction Chains Roundcube N-Days (CVE-2024-42009, CVE-2025-49113) to Pivot into University Networks (TA2026190)

Threat Advisory • Attack Report • TA2026190

UNK_MassTraction Chains Roundcube N-Days to Pivot into University Networks

UNK_MassTraction, a suspected China-aligned espionage cluster, sends phishing emails that abuse two n-day Roundcube Webmail flaws, CVE-2024-42009 and CVE-2025-49113, to deploy the IceCube stealer, the SquareShell webshell, the SNOWLIGHT loader, and the VShell backdoor — turning compromised university mail servers into a springboard deeper into higher-education networks in the United States and Canada.

SEVERITY: RED ADMIRALTY: A1 N-DAY EXPLOIT CHAIN ESPIONAGE-MOTIVATED FIRST SEEN: MAY 2026 SECTOR: HIGHER EDUCATION
TA Number
TA2026190
Date of Publication
July 08, 2026
Admiralty Code
A1
First Seen
May 2026
Threat Actor
UNK_MassTraction
Malware
VShell, IceCube, SquareShell, SNOWLIGHT
Targeted Regions
United States, Canada
Targeted Industry
Higher Education
Targeted Product
Roundcube Webmail
Targeted Platforms
Linux mail servers, Web browsers

Summary

First observed in May 2026, UNK_MassTraction is a suspected China-aligned espionage cluster running phishing campaigns that abuse two n-day Roundcube Webmail vulnerabilities against Linux mail servers and web browsers. An initial cross-site scripting flaw, CVE-2024-42009, runs attacker JavaScript the moment a victim opens a malicious email, launching the IceCube stealer to grab webmail credentials, cookies, and two-factor authentication material.

IceCube then exploits a deserialization remote code execution flaw, CVE-2025-49113, to plant the SquareShell webshell or load the VShell backdoor in the mail server's memory, turning the compromised Roundcube server into a springboard into the target's wider network. The campaign is concentrated against Higher Education institutions in the United States and Canada, with a fallback chain that stages the SNOWLIGHT loader when the primary webshell fails to install.


Attack Details

#1 — Phishing Lures Trigger CVE-2024-42009 on Open

UNK_MassTraction opens each intrusion with phishing emails aimed at physics and engineering departments at major universities, favoring administrators and professors in groups tied to national security work or astrophysics and particle physics research. The messages use generic lures and are sent from compromised senders and from domains that can be spoofed because of weak DMARC policies. The exploit does not need the recipient to click anything: simply opening the message in a vulnerable Roundcube webmail client triggers CVE-2024-42009, a cross-site scripting flaw that runs attacker JavaScript through the onanimationstart handler. That JavaScript acts as a loader and pulls the next stage from a remote host.

#2 — IceCube Stealer Escapes the iFrame and Weaponizes CVE-2025-49113

The next stage is a full-featured stealer called IceCube. It escapes Roundcube's iFrame through DOM traversal, giving it reach across the whole browser and the authenticated webmail session. From there it collects stored usernames and passwords, two-factor authentication material, and cookies, and it fingerprints the browser by reading the language in use, screen size, and form field values. The harvested data is sent to the command-and-control server over an HTTP POST. IceCube then uses the session's CSRF token to weaponize a second flaw, CVE-2025-49113, a PHP object deserialization bug in Roundcube's Crypt_GPG_Engine parsing. It sends serialized PHP data containing a gadget that executes commands when deserialized, dropping a lightweight webshell named SquareShell at the endpoint plugins/newmail_notifier/mail_preview.php. The webshell is timestomped with the modified time of a legitimate plugin so it blends into the environment.

#3 — SNOWLIGHT Fallback and Session-Aware Anti-Forensics

The chain is built to keep moving even when a step fails. If the webshell does not install, a fallback introduced in June 2026 downloads a shell script that stages an architecture-specific ELF loader tracked as SNOWLIGHT, fetches the matching payload from the command-and-control server, and runs it with nohup. IceCube also sets up deferred triggers that watch for the user closing the page, switching tabs, moving the mouse out of the browser window, or clicking logout. When any of those happen, IceCube re-attempts the CVE-2025-49113 exploit and beacons that the user has left the session. Once its work is done or a timeout is reached, it destroys the user and malware sessions on the server, logging the victim out and wiping forensic evidence from the Roundcube host.

#4 — VShell Backdoor Enables Deeper Network Pivoting

Stolen credentials and reconnaissance data leave the environment over the same HTTP channel back to the command-and-control server. On the server side, the SNOWLIGHT loader first checks for a lock file at /tmp/log_de.log to avoid running twice, spoofs the process name [kworker/0:2] to look like a kernel worker, beacons over a socket, and loads the VShell backdoor entirely in memory using fexecve(). VShell is a publicly available Go implant with capabilities comparable to Cobalt Strike; its interactive shell and port-forwarding features are the most likely tools the operators would use to pivot from the compromised mail server deeper into the university network. Infrastructure overlaps, the reuse of SNOWLIGHT and VShell, and Chinese-language artifacts in earlier emails point to a China-aligned, espionage-motivated actor treating the mail server as an edge device for network access rather than as the end target.


Exploited CVEs

CVE IDNameAffected Product
CVE-2024-42009 Roundcube Webmail Cross-Site Scripting Vulnerability Roundcube Webmail
CVE-2025-49113 Roundcube Webmail Deserialization of Untrusted Data Vulnerability Roundcube Webmail

Recommendations

01

Patch Roundcube to a Fixed Release

Upgrade every Roundcube instance to 1.6.11 or 1.5.10 (or later), which close both CVE-2024-42009 and CVE-2025-49113, and treat any server below these versions as exposed.

02

Block Known Command-and-Control Infrastructure

Add the listed IceCube and VShell IPs, delivery URLs, and sslip.io endpoints to network blocklists and alert on any outbound connections to them.

03

Reset Exposed Credentials and Sessions

Force password resets, invalidate active Roundcube sessions, and rotate two-factor secrets for any account on a potentially compromised server, since IceCube harvests credentials, cookies, and 2FA material.

04

Tighten Email Authentication

Enforce a strict DMARC policy (p=reject) with validated SPF and DKIM to blunt the sender spoofing this actor relies on for delivery.

05

Scan Linux Hosts for the VShell Loader

Look for the lock file /tmp/log_de.log, processes masquerading as [kworker/0:2], and in-memory execution via fexecve(), which indicate the SNOWLIGHT loader and the VShell backdoor.

06

Treat Mail Servers as Edge Devices

Monitor, log, and harden internet-facing webmail with the same rigor applied to VPN concentrators and other remote-access nodes.


Potential MITRE ATT&CK TTPs

T1566
Initial Access
Phishing
T1190
Initial Access
Exploit Public-Facing Application
T1203
Execution
Exploitation for Client Execution
T1059.007
Execution
Command and Scripting Interpreter: JavaScript
T1059.004
Execution
Command and Scripting Interpreter: Unix Shell
T1555.003
Credential Access
Credentials from Password Stores: Credentials from Web Browsers
T1539
Credential Access
Steal Web Session Cookie
T1111
Credential Access
Multi-Factor Authentication Interception
T1505.003
Persistence
Server Software Component: Web Shell
T1070.006
Defense Evasion
Indicator Removal: Timestomp
T1036.005
Defense Evasion
Masquerading: Match Legitimate Name or Location
T1620
Defense Evasion
Reflective Code Loading
T1071.001
Command and Control
Application Layer Protocol: Web Protocols
T1105
Command and Control
Ingress Tool Transfer
T1041
Exfiltration
Exfiltration Over C2 Channel

Indicators of Compromise (IoCs)

TypeValue
Emailjpcontreras[@]newfield[.]cl
IPv4 45[.]150[.]109[.]151
194[.]213[.]18[.]133
45[.]86[.]229[.]111
URLs hxxps[:]//45[.]150[.]109[.]151[.]sslip[.]io[:]23088/app/js/jquery[.]min[.]js
hxxps[:]//194[.]213[.]18[.]133[.]sslip[.]io[:]23088/app/js/jquery[.]min[.]js
hxxps[:]//45[.]150[.]109[.]151[.]sslip[.]io[:]23088
hxxps[:]//194[.]213[.]18[.]133[.]sslip[.]io[:]23088
hxxp[:]//45[.]86[.]229[.]111/slw[:]8080
SHA256a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0

References & Patch Links

Patch Link
References