Proofpoint tracked UNK_MassTraction, a likely China-aligned cluster that used Roundcube n-day vulnerabilities to target US and Canadian university physics and engineering departments and steal credentials. The intrusions deployed the IceCube stealer, SquareShell webshell, and VShell backdoor while using layered evasion, persistence, and fallback mechanisms to maintain access. #UNK_MassTraction #Roundcube #IceCube #SquareShell #VShell #CVE-2024-42009 #CVE-2025-49113
Keypoints
- Proofpoint has tracked UNK_MassTraction since May 2026 as a suspected China-aligned threat cluster.
- The campaign targeted Roundcube mailservers used by physics and engineering departments at US and Canadian universities.
- The initial access relied on CVE-2024-42009, a Roundcube XSS flaw that executed JavaScript when victims opened the email.
- The IceCube JavaScript payload stole usernames, passwords, 2FA material, cookies, and browser reconnaissance data before sending it to C&C.
- IceCube then leveraged CVE-2025-49113 to trigger deserialization abuse and install the SquareShell webshell on the server.
- If webshell deployment failed, the chain could fall back to a shell script that loaded SNOWLIGHT and then VShell into memory.
- Proofpoint assessed the actor as likely espionage-motivated, using Roundcube servers as a pivot point into broader target networks.
MITRE Techniques
- [T1566.001] Spearphishing Attachment/Link â Lure emails were sent to university staff to trigger exploitation by opening the message in Roundcube (âThe messages exploit CVE-2024-42009⌠If the email is opened in the webmail client⌠the embedded JavaScript is executed.â)
- [T1059.007] JavaScript â Malicious JavaScript ran in the victim browser to steal data and load the next stage (âexecute JavaScript inside of the victim browserâ / âload a JavaScript payloadâ)
- [T1185] Browser Session Hijacking â IceCube stole cookies and authentication material from the browser session (âsteal usernames and passwords, two-factor authentication material, cookiesâ)
- [T1005] Data from Local System â The payload collected browser and form data from the victim environment (âconduct reconnaissance against the browser including the language in use, screen size, and form field valuesâ)
- [T1190] Exploit Public-Facing Application â Roundcube vulnerabilities were used to gain access and foothold (âexploit CVE-2024-42009â / âexploit a second Roundcube vulnerabilityâ)
- [T1211] Exploitation for Defense Evasion â The chain used a vulnerability to bypass normal controls and reach server-side execution (âa deserialization exploit⌠to install a simple webshellâ)
- [T1027] Obfuscated Files or Information â JavaScript was decimal-decoded and payloads were hidden in encoded form (âDecimal-decoded JavaScript from message bodyâ)
- [T1106] Native API â The webshell used built-in system execution functions to run commands (âsystem, passthru, exec, shell_exec, assert, and popenâ)
- [T1053.005] Scheduled Task/Job: At Intervals â Deferred triggers and repeated checks maintained execution flow by re-attempting exploitation (âchecks if the user closes the page or changes tabs⌠re-attempts exploitationâ)
- [T1036] Masquerading â The loader spoofed a legitimate process name to blend in (âspoofs a process, [kworker/0:2]â)
- [T1071.001] Web Protocols â Data and payloads were retrieved from C&C over HTTP/HTTPS (âsent via HTTP POSTâ / âfetches the relevant loader payload from the C&Câ)
- [T1105] Ingress Tool Transfer â The shell script downloaded a loader payload from the C&C server (âfetches the relevant loader payload from the C&C and executes itâ)
- [T1036.005] Match Legitimate Resource Name or Location â The webshell was placed in a plugin path and timestomped to look legitimate (âThe webshell is timestomped by copying the last modified time of a legitimate pluginâ)
- [T1070.004] File Deletion â The chain destroyed sessions and removed evidence after exploitation (âdestroys user and malware-initiated sessions on the server, forcing the user to log out and removing forensic evidenceâ)
- [T1021.006] Windows Remote Management â Not mentioned
Indicators of Compromise
- [Email address] Compromised sender observed in phishing headers â jpcontreras@newfield[.]cl
- [IP address] IceCube JavaScript backdoor delivery and C&C â 45.150.109[.]151, 194.213.18[.]133, and 45.86.229[.]111
- [URL] IceCube delivery/C&C and VShell delivery â hxxps://45.150.109[.]151.sslip.io:23088/app/js/jquery.min.js, hxxps://194.213.18[.]133.sslip.io:23088, and hxxp://45.86.229[.]111/slw:8080
- [SHA256] IceCube stealer hash â a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0