Since May 2026, a newly identified threat cluster, UNK_MassTraction, has been targeting major universities in the United States and Canada.
The attackers focus primarily on physics and engineering departments, specifically seeking out professors and administrators with national security ties or research in astrophysics.
They leverage known vulnerabilities in the Roundcube webmail software, treating these mail servers not as data repositories but as edge devices to pivot deeper into academic networks.
Proofpoint researchers revealed that the campaign begins with deceptively simple phishing emails sent from compromised accounts or poorly secured domains.
These generic emails require almost no user interaction to compromise the target. If a victim simply opens the message in a vulnerable Roundcube webmail client, the attack sequence begins instantly.
The emails exploit CVE-2024-42009, a cross-site scripting vulnerability that fails to sanitize HTML content properly. This flaw allows a malicious JavaScript payload to execute automatically using standard web animation functions.
Once triggered, the script acts as a loader to fetch a much more sophisticated secondary payload from a remote command server.
This secondary payload is a fully-featured JavaScript stealer dubbed IceCube by researchers. IceCube uses basic web traversal techniques to escape the webmail’s isolation, granting the attackers complete access to the browser session.
From there, the malware silently harvests usernames, passwords, two-factor authentication tokens, and session cookies while profiling the victim’s operating environment.
The underlying code is heavily commented and organized into specific phases, suggesting the threat actors may have used large language models to assist in its rapid development.
Hackers Pivot Through Roundcube
After stealing credentials, IceCube immediately moves to compromise the underlying server infrastructure. It uses the stolen session tokens to exploit a second Roundcube flaw, a deserialization vulnerability tracked as CVE-2025-49113.
By sending malicious serialized PHP data to the server, the malware tricks the system into executing embedded shell commands.
This action drops a stealthy webshell called SquareShell directly onto the mail server. SquareShell modifies its own file timestamps to match legitimate plugins, allowing attackers to blend into the environment while executing remote code.

According to Proofpoint research, the UNK_MassTraction group designed their infection chain with impressive resilience and fallback mechanisms.
If the initial webshell deployment fails, the malware downloads a backup shell script from a secondary channel. This script fetches a custom loader that impersonates legitimate background processes to hide its presence on the machine.
This loader then pulls down VShell, a powerful Go-based backdoor widely used by Chinese advanced persistent threats.
VShell provides attackers with an interactive command-line and port-forwarding capabilities, giving them a perfect staging ground to explore the broader university network.
Indicators of Compromise
| Indicator | Type | Description | First Seen |
|---|---|---|---|
jpcontreras@newfield[.]cl | Email address | Compromised email address | May 2026 |
45.150.109[.]151 | IP address | IceCube JavaScript backdoor delivery and C&C | May 2026 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
