Suspected Chinese hackers target Roundcube servers in North America

 

Suspected Chinese hackers target Roundcube servers in North America

A suspected China-aligned threat cluster, tracked as UNK_MassTraction, is exploiting vulnerable Roundcube webmail servers at physics and engineering departments across major universities in the US and Canada. The campaign appears focused on institutions involved in astrophysics, particle physics, and research with national security relevance.

The attacks, first observed in May 2026, abuse multiple known Roundcube vulnerabilities to steal user credentials and gain access to mail servers. Researchers believe the attackers use compromised email servers as a pivot point to move deeper into university networks.

The infection chain starts with CVE-2024-42009, a cross-site scripting (XSS) flaw that allows the execution of a malicious JavaScript when a victim opens a specially crafted email in a vulnerable Roundcube webmail client. The exploit uses the onanimationstart HTML event to bypass input sanitization and run attacker-controlled code.

Once executed, a JavaScript payload called IceCube collects usernames, passwords, authentication tokens, browser cookies, and two-factor authentication data. It also gathers browser information, including language settings, screen resolution, and form field values.

IceCube then attempts to exploit CVE-2025-49113, a deserialization vulnerability involving Roundcube's embedded Crypt_GPG_Engine component. Successful exploitation allows the attackers to install a lightweight webshell known as SquareShell. If that step fails, the malware downloads and runs a shell script from a fallback server.

The fallback script deploys an architecture-specific ELF loader known as SNOWLIGHT, which loads the VShell backdoor directly into memory. Researchers noted that the same shell script has been observed in previous intrusions attributed to Chinese threat actors, suggesting a shared or privately distributed capability.

“IceCube also sets up what it calls “deferred triggers” to ensure continuance of the infection chain. The deferred triggers monitor if the user closes the page or changes tabs, checks if the mouse leaves the browser window, and hijacks the logout button,” Proofpoint notes. “If any of those actions are taken, IceCube hooks those events, and re-attempts exploitation of CVE-2025-49113, and beacons to the C&C that the user left the Roundcube session. Following these actions or a timeout, IceCube destroys user and malware-initiated sessions on the server, forcing the user to log out and removing forensic evidence from the Roundcube server.

The phishing emails were sent from both compromised accounts and spoofed domains with weak DMARC protections. While the email lures were generic, the targeted departments were specifically running Roundcube versions vulnerable to the exploited flaws, indicating the attackers likely performed reconnaissance before launching the campaign.

Researchers also noted similarities to a previously reported campaign that delivered the VShell backdoor through a different Roundcube vulnerability. However, there is currently not enough evidence to directly link the activity with UNK_MassTraction.


Back to the list