Hackers Exploit Roundcube Flaw to Spy on Academic Researchers
What happened
Researchers at Proofpoint found that a China-linked threat cluster has been exploiting vulnerable Roundcube webmail servers at universities in the United States and Canada to steal credentials and deploy backdoor malware.
Proofpoint tracks the activity as UNK_MassTraction and assesses it is likely associated with a China-aligned espionage actor, though the company notes that attribution is not high-confidence. The campaign has been observed since May and focuses on physics and engineering departments, administrators, professors, and organizations involved in astrophysics, particle physics, or national security-related research.
The attack begins with malicious emails sent from compromised accounts or spoofed domains. When a victim opens the email in a vulnerable Roundcube webmail client, the message triggers exploitation of CVE-2024-42009, a cross-site scripting flaw that executes JavaScript in the victim’s browser and loads a payload called IceCube.
IceCube is a Roundcube stealer capable of harvesting usernames, passwords, cookies, two-factor authentication data, and browser information. Proofpoint said the malware also uses helper components to exploit CVE-2025-49113, a Roundcube deserialization flaw, in an attempt to install SquareShell, a PHP web shell with remote code execution capabilities.
If SquareShell is installed successfully, the attacker gains remote code execution on the mail server. If that step fails, the malware downloads a shell script that loads VShell, a Go-based backdoor that supports interactive shell access and port forwarding. Proofpoint also found evidence that the attackers conducted reconnaissance beforehand by selecting servers previously believed to be vulnerable to CVE-2024-42009 and CVE-2025-49113.
Who is affected
Universities and research institutions using vulnerable Roundcube webmail servers are directly affected, especially in the United States and Canada.
The campaign appears focused on researchers, professors, administrators, and departments involved in physics, engineering, astrophysics, particle physics, and national security-related research.
Organizations with internet-facing Roundcube deployments are also at risk if they have not patched CVE-2024-42009 and CVE-2025-49113 or if mail servers are not monitored as closely as VPNs and other remote access systems.
Why CISOs should care
This campaign shows how academic email systems can become espionage entry points. A vulnerable webmail server can expose credentials, cookies, two-factor authentication data, and potentially server-level access.
For CISOs, the attack chain is important because it combines client-side exploitation with server-side compromise. A malicious email can trigger JavaScript execution in Roundcube and then pivot into attempts to exploit the mail server itself.
The targeting also matters. Academic research environments often hold sensitive intellectual property, government-funded research, export-controlled work, and collaboration data that may be valuable to state-aligned actors.
The case also reinforces that internet-facing mail servers should be treated like remote access infrastructure. If compromised, they can support credential theft, internal reconnaissance, persistence, and port forwarding into protected environments.
3 practical actions
Patch Roundcube immediately: Administrators should update Roundcube deployments to versions that fix CVE-2024-42009 and CVE-2025-49113, prioritizing internet-facing university and research mail servers.
Hunt for web shells and backdoors: Security teams should look for signs of IceCube, SquareShell, VShell, unusual PHP files, unexpected shell scripts, abnormal outbound connections, and port-forwarding activity from mail servers.
Review exposed mail-server risk: CISOs should treat Roundcube and other webmail systems as high-value remote access nodes, with strict patching, logging, monitoring, segmentation, and incident-response coverage.
Recent cybersecurity news:


