One Email Closer to the Edge: UNK_MassTraction & the Physics of Exploitation

One Email Closer to the Edge: UNK_MassTraction & the Physics of Exploitation
Proofpoint tracked UNK_MassTraction, a likely China-aligned cluster that used Roundcube n-day vulnerabilities to target US and Canadian university physics and engineering departments and steal credentials. The intrusions deployed the IceCube stealer, SquareShell webshell, and VShell backdoor while using layered evasion, persistence, and fallback mechanisms to maintain access. #UNK_MassTraction #Roundcube #IceCube #SquareShell #VShell #CVE-2024-42009 #CVE-2025-49113

Keypoints

  • Proofpoint has tracked UNK_MassTraction since May 2026 as a suspected China-aligned threat cluster.
  • The campaign targeted Roundcube mailservers used by physics and engineering departments at US and Canadian universities.
  • The initial access relied on CVE-2024-42009, a Roundcube XSS flaw that executed JavaScript when victims opened the email.
  • The IceCube JavaScript payload stole usernames, passwords, 2FA material, cookies, and browser reconnaissance data before sending it to C&C.
  • IceCube then leveraged CVE-2025-49113 to trigger deserialization abuse and install the SquareShell webshell on the server.
  • If webshell deployment failed, the chain could fall back to a shell script that loaded SNOWLIGHT and then VShell into memory.
  • Proofpoint assessed the actor as likely espionage-motivated, using Roundcube servers as a pivot point into broader target networks.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment/Link – Lure emails were sent to university staff to trigger exploitation by opening the message in Roundcube (‘The messages exploit CVE-2024-42009… If the email is opened in the webmail client… the embedded JavaScript is executed.’)
  • [T1059.007] JavaScript – Malicious JavaScript ran in the victim browser to steal data and load the next stage (‘execute JavaScript inside of the victim browser’ / ‘load a JavaScript payload’)
  • [T1185] Browser Session Hijacking – IceCube stole cookies and authentication material from the browser session (‘steal usernames and passwords, two-factor authentication material, cookies’)
  • [T1005] Data from Local System – The payload collected browser and form data from the victim environment (‘conduct reconnaissance against the browser including the language in use, screen size, and form field values’)
  • [T1190] Exploit Public-Facing Application – Roundcube vulnerabilities were used to gain access and foothold (‘exploit CVE-2024-42009’ / ‘exploit a second Roundcube vulnerability’)
  • [T1211] Exploitation for Defense Evasion – The chain used a vulnerability to bypass normal controls and reach server-side execution (‘a deserialization exploit… to install a simple webshell’)
  • [T1027] Obfuscated Files or Information – JavaScript was decimal-decoded and payloads were hidden in encoded form (‘Decimal-decoded JavaScript from message body’)
  • [T1106] Native API – The webshell used built-in system execution functions to run commands (‘system, passthru, exec, shell_exec, assert, and popen’)
  • [T1053.005] Scheduled Task/Job: At Intervals – Deferred triggers and repeated checks maintained execution flow by re-attempting exploitation (‘checks if the user closes the page or changes tabs… re-attempts exploitation’)
  • [T1036] Masquerading – The loader spoofed a legitimate process name to blend in (‘spoofs a process, [kworker/0:2]’)
  • [T1071.001] Web Protocols – Data and payloads were retrieved from C&C over HTTP/HTTPS (‘sent via HTTP POST’ / ‘fetches the relevant loader payload from the C&C’)
  • [T1105] Ingress Tool Transfer – The shell script downloaded a loader payload from the C&C server (‘fetches the relevant loader payload from the C&C and executes it’)
  • [T1036.005] Match Legitimate Resource Name or Location – The webshell was placed in a plugin path and timestomped to look legitimate (‘The webshell is timestomped by copying the last modified time of a legitimate plugin’)
  • [T1070.004] File Deletion – The chain destroyed sessions and removed evidence after exploitation (‘destroys user and malware-initiated sessions on the server, forcing the user to log out and removing forensic evidence’)
  • [T1021.006] Windows Remote Management – Not mentioned

Indicators of Compromise

  • [Email address] Compromised sender observed in phishing headers – jpcontreras@newfield[.]cl
  • [IP address] IceCube JavaScript backdoor delivery and C&C – 45.150.109[.]151, 194.213.18[.]133, and 45.86.229[.]111
  • [URL] IceCube delivery/C&C and VShell delivery – hxxps://45.150.109[.]151.sslip.io:23088/app/js/jquery.min.js, hxxps://194.213.18[.]133.sslip.io:23088, and hxxp://45.86.229[.]111/slw:8080
  • [SHA256] IceCube stealer hash – a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0


Read more: https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation