Proofpoint: China cluster raids university physics mail
Proofpoint attributes a Roundcube-exploitation campaign against U.S. and Canadian university physics departments to a China-aligned cluster, UNK_MassTraction.
Proofpoint on Monday attributed a monthslong campaign against U.S. and Canadian university physics and engineering departments to a suspected China-aligned activity cluster it tracks as UNK_MassTraction, saying the operators have been exploiting known, patched flaws in Roundcube webmail to steal credentials, session cookies, and two-factor codes from administrators and professors at institutions with astrophysics, particle-physics, and national-security-adjacent research programs. Proofpoint researchers Greg Lesnewich and Mark Kelly published the writeup after tracking the activity since May.
The campaign is labeled UNK — “unknown” — because Proofpoint has not yet attributed the cluster to a named actor, but the post-exploitation tooling overlaps with UNC5174, the China-linked cluster Mandiant/Google Threat Intelligence has previously named, and the geography and sector selection are consistent with academic-espionage tasking.
What was actually exploited
Two Roundcube vulnerabilities, both already patched at the time UNK_MassTraction started using them:
- CVE-2024-42009 (CVSS 9.3, critical) — a cross-site scripting flaw in Roundcube’s message-rendering path that allows a crafted email to run attacker-controlled JavaScript in the victim’s browser session when the message is viewed. Patched by upstream in August 2024.
- CVE-2025-49113 (CVSS 9.9, critical) — a post-authenticated remote-code-execution flaw in Roundcube. Chained after credentials are already in hand.
The chain, as Proofpoint describes it, does what web-attack chains against webmail have done for two decades. A phishing message arrives; if the recipient views it in a still-vulnerable Roundcube instance, a JavaScript payload the operators call IceCube runs inside the mailbox context. IceCube harvests the session cookie, whatever 2FA material is in memory, and enough browser reconnaissance for the operators to decide whether the target is interesting. If it is, the same access is used to authenticate to the mail server and pivot into CVE-2025-49113 for RCE, at which point the operators drop a SquareShell web shell or the VShell post-exploitation tool, and a fallback script mechanism stages SNOWLIGHT, an ELF loader Proofpoint links to the broader UNC5174 tooling family.
None of the individual pieces are novel. What is unusual is how narrowly the targeting is scoped — Proofpoint’s report emphasizes physics and engineering departments specifically, with sub-focus on the administrators who run departmental infrastructure and the professors most likely to be on national-lab collaborations or DoD/DoE-funded work. That is not the shape of a commodity credential-stealing operation. That is somebody running a task list.
Why universities, and why Roundcube
The pattern is old, and it keeps working.
Universities host research the People’s Republic of China has repeatedly signaled interest in, on operational networks that no CISO in industry would recognize as an operational network. Departmental sysadmins are often postdocs or a small research-computing team; the mail server is often something a graduate student stood up in the mid-2010s because the university’s central IT declined to host the flavor of open-source webmail the physics faculty preferred. Roundcube, a stable long-lived PHP webmail codebase, tends to sit in exactly those places — installed, running, and forgotten between admin turnovers. When a CVE lands, whoever now owns the box may not know they own it.
The result is a target class where a widely-published, months-old critical CVE is still a realistic ingress on the day the campaign starts. That is not a story about Roundcube being uniquely bad software. It is a story about the same soft edge of the same operational picture that has been on threat-intel decks since the last decade of NSA/CISA guidance on academic and research-network defense.
Two other beats of the story worth noticing:
- The operators are exploiting XSS chained into RCE, not XSS as an end in itself. Web-mail XSS is often treated as a mid-severity nuisance because “you have to convince the user to view an email,” which is exactly the thing an inbound phish accomplishes. Here the XSS is the ignition source for a full intrusion.
- The credential-and-cookie theft happens inside the mailbox context, which means the initial signal to a SOC is a normal mail-view event by a legitimate user. Nothing in the login pattern is out of place until, later, the session cookie shows up somewhere it shouldn’t be.
What Proofpoint told defenders
Proofpoint’s closing recommendation is the sentence to take from the writeup: universities should “prioritize defending the mail servers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes.” The framing matters. Remote-access infrastructure has been the beneficiary of a decade of KEV additions, vendor scrutiny, and internal-audit attention. Mail infrastructure has not caught the same wave, especially on open-source stacks running in departmental corners of a larger university IT estate.
There is no fresh vulnerability to patch here. Both CVEs shipped fixes before the campaign began. The question the writeup raises is whether the mail servers still running the pre-patch versions have someone assigned to notice.
Sourcing
- Proofpoint Threat Insight: Roundcube exploitation and the UNK_MassTraction cluster — Greg Lesnewich and Mark Kelly (see also The Hacker News’s summary)
- NVD: CVE-2024-42009 — Roundcube XSS, CVSS 9.3
- NVD: CVE-2025-49113 — Roundcube post-auth RCE, CVSS 9.9
- Mandiant/Google Threat Intelligence: UNC5174 background
- Related: ARToken and EvilTokens’ M365 device-code phishing — the same shape of pattern (harvest sessions through legitimate flows) on a different target
- Related: Talos on curiosity as the load-bearing SOC skill — the departmental-webmail-nobody-owns problem is a curiosity problem, not a signature problem
- Related: The LONGLEASH ORB build-out and UAT-7810 — China-aligned tasking against a different soft edge of the network stack
Found this useful? Share it.

