A China-linked threat cluster tracked as UNK_MassTraction has been exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and deploy backdoors. The campaign uses malicious emails to trigger Roundcube flaws CVE-2024-42009 and CVE-2025-49113, leading to payloads such as IceCube, SquareShell, and VShell. #UNK_MassTraction #Roundcube #IceCube #SquareShell #VShell #CVE-2024-42009 #CVE-2025-49113
Keypoints
- A China-linked cluster is targeting Roundcube servers at universities in the U.S. and Canada.
- The campaign focuses on physics, engineering, and national security-related research organizations.
- Malicious emails exploit CVE-2024-42009 to load the IceCube stealer.
- IceCube can harvest passwords, cookies, 2FA data, and browser information.
- The attackers also try to install SquareShell or load VShell for remote access.