THE UNK_MassTraction, a suspected China-aligned espionage group, has been exploiting vulnerabilities in Roundcube webmail to infiltrate physics and engineering departments at select US and Canadian universities since May 2026. The attacks, which have targeted fewer than 10 confirmed victims, involve credential theft, deploying webshells, and using the VShell backdoor.
The infection process begins with a phishing email that exploits known vulnerabilities (CVE-2024-42009 and CVE-2025-49113) to execute malicious JavaScript, steal login information using a tool called IceCube, and install a webshell named SquareShell. Efforts have been made to conceal the campaign's ties to China, but indicators point to a potential linkage to previous Chinese exploitation techniques.
Recommendations for protection include patching affected software, enhancing security measures against spoofed emails, and monitoring for unusual activities on mail servers.