UNK_MassTraction Roundcube university exploitation campaign
Campaign
Summary
Hide ▲
Show ▼
The UNK_MassTraction campaign is a China-linked activity targeting Roundcube webmail at U.S. and Canadian universities and related research organizations to steal credentials and gain server access. Reported since May 2026, it uses phishing emails to trigger CVE-2024-42009, load IceCube for username, password, cookie, and 2FA theft, and then exploit CVE-2025-49113 to install SquareShell or drop VShell for remote code execution and backdoor access. The targeting focuses on physics and engineering departments, administrators, professors, and organizations tied to astrophysics, particle physics, and national security-related research. Proofpoint says the cluster appears to have performed reconnaissance before attack by selecting servers already known to be vulnerable to both flaws.
Related Happenings
IceCube, SNOWLIGHT, and VShell Roundcube post-exploitation chain
Malware Activity
H score36
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
How related:
The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data.
About this happening:
**IceCube** is a **Roundcube** post-exploitation activity targeting **U.S. and Canadian universities** and related research organizations, with observed use since **May** against...
IceCube, SNOWLIGHT, and VShell Roundcube post-exploitation chain
Malware ActivityHow related: The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data.
About this happening: **IceCube** is a **Roundcube** post-exploitation activity targeting **U.S. and Canadian universities** and related research organizations, with observed use since **May** against...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
H score82
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Roundcube Webmail actively exploited flaws (multiple vulnerabilities)
Vulnerability
H score33
First: 23.02.2026 13:44
Last: 23.02.2026 13:44
Sources 1
How related:
In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube - CVE-2025-49113 (CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
About this happening:
**Roundcube Webmail** is under **active exploitation** through **CVE-2025-49113** and **CVE-2025-68461**, with attackers also chaining **CVE-2024-42009** in phishing-driven intrus...
Roundcube Webmail actively exploited flaws (multiple vulnerabilities)
VulnerabilityHow related: In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube - CVE-2025-49113 (CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
About this happening: **Roundcube Webmail** is under **active exploitation** through **CVE-2025-49113** and **CVE-2025-68461**, with attackers also chaining **CVE-2024-42009** in phishing-driven intrus...
Latest development: 07.07.2026 18:40
Proofpoint tracked the China-aligned UNK_MassTraction cluster targeting US and Canadian universities, especially physics and engineering departments, by abusing vulnerable Roundcube mail servers. The campaign used phishing emails with malicious content to exploit CVE-2024-42009 and run the IceCube JavaScript payload to steal usernames, passwords, cookies and authentication data, then leveraged CVE-2025-49113 to deploy a webshell or install the VShell backdoor for follow-on access into victim networks.
UNK_AcademicFlare Microsoft 365 device code phishing campaign
Campaign
H score36
First: 19.12.2025 19:54
Last: 19.12.2025 19:54
Sources 1
About this happening:
The **UNK_AcademicFlare** phishing campaign is actively stealing **Microsoft 365** credentials through **device code authentication** abuse, creating **account takeover** risk for...
UNK_AcademicFlare Microsoft 365 device code phishing campaign
CampaignAbout this happening: The **UNK_AcademicFlare** phishing campaign is actively stealing **Microsoft 365** credentials through **device code authentication** abuse, creating **account takeover** risk for...
Timeline
-
07.07.2026 12:10 3 articles · 2d ago
UNK_MassTraction Roundcube university exploitation campaign
Initial DisclosureThe campaign was first detected in **May 2026** against university Roundcube deployments. By **June 2026**, the infection chain had added a fallback path for delivering post-exploitation tooling.
Show sources
- Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities — thehackernews.com — 07.07.2026 12:10
- Suspected Chinese Threat Group Targets Universities via Vulnerable Roundcube Servers — www.infosecurity-magazine.com — 07.07.2026 18:40
- Hackers exploit Roundcube flaw to spy on academic researchers — www.bleepingcomputer.com — 08.07.2026 21:56