One Email Closer to the Edge: UNK_MassTraction & the Physics of Exploitation
Essential information
- Published
- 07/07/2026 11:24
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- china-aligned cross-site scripting cve-2023-2868 cve-2024-42009 cve-2025-49113 icecube icecube stealer roundcube exploitation snowlight squareshell squareshell webshell university targeting unk_masstraction vshell vshell backdoor
- Related entities
- 3 vulnerabilities (cve), 6 indicators, 5 observables, 1 intrusion sets (apt), 4 malware
Description
Since May 2026, a suspected China-aligned threat cluster named UNK_MassTraction has been exploiting Roundcube mailservers at physics and engineering departments of US and Canadian universities. The campaigns exploit multiple n-day vulnerabilities including CVE-2024-42009 and CVE-2025-49113 to steal credentials and deploy either a webshell called SquareShell or the VShell backdoor into server memory. The actor uses an initial cross-site scripting vulnerability to execute JavaScript, then deploys IceCube stealer to harvest authentication material before pivoting server-side through deserialization exploits. The operators deliberately crafted their infection chain with mature tooling to avoid detection, using Roundcube servers as pivot points to enter target networks. The targeting focuses on departments with national security ties or those studying astrophysics and particle physics.