A cyber espionage campaign attributed to a China-aligned threat group has been identified targeting physics and engineering departments at universities in the United States and Canada. The attackers exploited critical vulnerabilities in Roundcube, an open-source webmail software, to infiltrate these institutions.
The campaign, tracked by Proofpoint as UNK_MassTraction, commenced in May 2026. It specifically targeted administrators and professors in departments with national security affiliations or those engaged in astrophysics and particle physics research. The attackers utilized compromised email accounts and domains susceptible to spoofing due to inadequate DMARC policies to distribute phishing emails.
These emails exploited a cross-site scripting (XSS) vulnerability, identified as CVE-2024-42009 with a CVSS score of 9.3, in Roundcube. Merely opening the malicious email within the Roundcube client allowed the attackers to execute arbitrary JavaScript code in the victim’s browser. This flaw enabled the extraction of credentials, two-factor authentication tokens, and cookies. Additionally, the malware, dubbed IceCube, gathered information about the browser’s language, screen size, and form field values, transmitting this data to an external server via an HTTP POST request.
Following the initial compromise, the attackers leveraged another severe vulnerability, CVE-2025-49113 (CVSS score: 9.9), to gain persistent access to the mail servers. They deployed either a web shell named SquareShell or a post-exploitation tool known as VShell. SquareShell, accessible at the endpoint “plugins/newmail_notifier/mail_preview.php,” allowed for arbitrary code execution. If deploying SquareShell failed, the attackers executed a shell script to deliver VShell, ensuring continued access.
Notably, the attackers demonstrated adaptability by modifying their methods in June 2026. Initially, a failed SquareShell deployment would terminate the attack chain. However, the revised approach incorporated a fallback mechanism, utilizing a shell script to deploy VShell, thereby maintaining their foothold within the compromised systems.
This campaign underscores the persistent threat posed by state-sponsored actors targeting academic institutions, particularly those involved in sensitive research areas. It highlights the critical importance of promptly patching software vulnerabilities and implementing robust email security measures to defend against sophisticated cyber threats.
Given the attackers’ focus on exploiting known vulnerabilities in widely used software, organizations must prioritize regular updates and patches. Additionally, enhancing email security protocols, such as enforcing strict DMARC policies, can mitigate the risk of domain spoofing and phishing attacks. As cyber adversaries continue to evolve their tactics, a proactive and comprehensive security strategy is essential to protect sensitive information and maintain institutional integrity.