UNK_MassTraction is a suspected China-aligned espionage threat cluster tracked by Proofpoint since May 2026. The actor targeted Roundcube mailservers at physics and engineering departments of U.S. and Canadian universities, with reported focus on administrators and professors with national security ties and organizations conducting astrophysics and particle physics research. Proofpoint identified fewer than 10 confirmed university victims and assessed the campaign as ongoing, with potentially additional affected universities. The cluster exploited a chained Roundcube attack path using CVE-2024-42009 and CVE-2025-49113. CVE-2024-42009 was used to execute malicious JavaScript in a victim’s browser when the victim opened a malicious email in vulnerable Roundcube webmail. Proofpoint stated the initial exploit required only that the email be opened. The actor used generic lure emails delivered via compromised sender accounts and spoofable domains with lax DMARC policies. Earlier phishing activity contained Chinese-language artifacts. Proofpoint named the next-stage JavaScript payload IceCube. IceCube escaped Roundcube’s iFrame context through DOM traversal, accessed the Roundcube authentication session, and stole usernames, passwords, two-factor authentication material, cookies, browser language, screen size, and form field values, sending the data to command-and-control infrastructure via HTTP POST. IceCube also used the victim session’s CSRF token to prepare exploitation of CVE-2025-49113, a Roundcube deserialization vulnerability involving Crypt_GPG_Engine, to gain server-side execution. The deserialization exploit attempted to write a webshell called SquareShell to disk via a PHP gadget chain. SquareShell was reachable at plugins/newmail_notifier/mail_preview.php, enabled remote code execution, and was timestomped to match a legitimate plugin’s modification time. If webshell deployment failed, the exploit chain used a fallback shell script that deployed an architecture-specific ELF loader referred to by Google Threat Intelligence as SNOWLIGHT, which then loaded VShell in memory from C2. Proofpoint noted cleanup and evasion tradecraft including deferred triggers, forced logout, session destruction, timestomping, fallback mechanisms, and in-memory execution. Proofpoint assessed that UNK_MassTraction likely used compromised mailservers as a pivot point into broader target networks rather than primarily to access mailbox contents. The China-aligned assessment was based on Chinese-language artifacts, use of VShell, low-volume targeting of U.S. and Canadian universities, and overlap with covert infrastructure associated with multiple China-aligned threat actors. No additional aliases or sub-groups were provided beyond UNK_MassTraction.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 malware families attributed to this actor across reporting.
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
The threat cluster, which Proofpoint tracks as UNK_MassTraction, exploited CVE-2024-42009 to execute JavaScript inside the victim’s browser, then exploited CVE-2025-49113 to gain a foothold in the mailserver.
The threat cluster, which Proofpoint tracks as UNK_MassTraction, exploited CVE-2024-42009 to execute JavaScript inside the victim’s browser, then exploited CVE-2025-49113 to gain a foothold in the mailserver.
12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Espionage-motivated campaign targeting U.S. and Canadian universities, especially physics and engineering departments, by chaining Roundcube vulnerabilities to steal credentials and establish persistent access via webshells and backdoors.
Espionage-oriented intrusion cluster exploiting multiple Roundcube n-day vulnerabilities to steal credentials, install the SquareShell webshell or deploy the VShell backdoor, and use compromised mailservers as a pivot point into target networks.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.