Hackers Exploit Roundcube N-Day Flaws to Steal Credentials and Deploy VShell

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly identified hacking campaign is targeting university mail servers by exploiting known but unpatched flaws in Roundcube webmail software.

The attackers are using these gaps to quietly steal login credentials and plant a powerful backdoor called VShell deep inside compromised systems.

The campaign, tracked under the name UNK_MassTraction, has been active since May 2026 and is aimed squarely at physics and engineering departments at major universities across the United States and Canada.

Rather than casting a wide net, the attackers appear to have handpicked targets tied to national security research or astrophysics and particle physics programs.

Researchers from Proofpoint first spotted this activity and have been closely monitoring how it has evolved over the past several weeks.

The team noticed that the departments being targeted were all running outdated, vulnerable versions of Roundcube, suggesting the attackers had scouted their targets carefully before launching the operation.

What makes this campaign notable is not just its narrow focus but its technical sophistication.

The attackers chain together multiple known vulnerabilities, starting with a simple email and ending with a fully functioning backdoor buried in server memory, all while working to erase their tracks along the way.

UNK_MassTraction infection chain (Source – Proofpoint)

Proofpoint said in a report shared with Cyber Security News (CSN) that the group shows moderate operational security awareness and is likely a China-aligned espionage operation, based on infrastructure overlaps and language artifacts found in the phishing emails.

Hackers Exploit Roundcube N-Day Flaws

The intrusion begins with an email exploiting CVE-2024-42009, a cross-site scripting flaw in Roundcube that fails to properly clean up JavaScript embedded in HTML messages.

Simply opening the email in a vulnerable Roundcube client is enough to trigger the malicious code, no clicking required.

The emails themselves look deliberately bland, resembling spam or marketing content. This design choice seems intentional.

Even if a recipient glances at the message and ignores it, the exploit has already done its job by the time the email is opened.

Once triggered, the JavaScript loads a second-stage payload the researchers call IceCube.

This stealer escapes Roundcube’s iframe sandbox, giving it access to the full browser session, and begins harvesting usernames, passwords, two-factor codes, and session cookies before sending everything back to a remote server.

IceCube then pivots from the browser to the server itself, exploiting a separate flaw, CVE-2025-49113, which is a deserialization bug in Roundcube’s handling of an internal component.

This lets the attackers plant a simple webshell called SquareShell, disguised to blend in with legitimate plugin files and reachable through a specific plugin endpoint for remote code execution.

The VShell Backdoor and Its Reach

If the webshell installation fails, the attackers have a backup plan. A fallback script downloads and runs a loader for VShell, a publicly available backdoor written in the Go programming language that has been linked to multiple China-aligned threat groups in the past.

VShell runs entirely in memory, disguising itself as a legitimate system process to avoid raising alarms.

VShell loader bash script (Source – Proofpoint)

It gives attackers an interactive shell and port-forwarding capabilities, tools that are particularly useful for moving laterally once inside a target network rather than just controlling the initial compromised machine.

The malware also includes built-in checks to avoid duplicate infections and mechanisms to clean up logs and forensic evidence once its job is done.

Researchers noted the code includes unusually detailed comments, hinting that parts of the toolkit may have been built with help from an AI coding assistant.

Because mail servers often sit at the edge of a network, much like a VPN gateway, compromising one gives attackers a foothold that can be used to move further into an organization’s systems.

Proofpoint’s analysts stressed that defenders should treat mail server security with the same urgency typically reserved for remote access infrastructure.

The recommended response is straightforward: patch Roundcube promptly, monitor for unusual plugin file changes, and review DMARC policies since attackers exploited weak spoofing protections to send convincing lure emails.

Given how quietly this campaign has operated, organizations running older Roundcube versions should treat this as an urgent priority rather than routine maintenance.

While the specific targeting of physics departments might seem unusual, Proofpoint noted the real goal is likely broader espionage rather than academic research theft.

The campaign serves as a reminder that even overlooked infrastructure like webmail servers can become a serious entry point for state-linked hacking operations.

Indicators of Compromise (IoCs):-

Type Indicator Description
Email address jpcontreras@newfield[.]cl Compromised email address used to send phishing lures
IP address 45.150.109[.]151 IceCube JavaScript backdoor delivery and C&C
IP address 194.213.18[.]133 IceCube JavaScript backdoor delivery and C&C
IP address 45.86.229[.]111 VShell C&C server
URL hxxps://45.150.109[.]151.sslip.io:23088/app/js/jquery.min.js IceCube JavaScript backdoor delivery and C&C
URL hxxps://194.213.18[.]133.sslip.io:23088/app/js/jquery.min.js IceCube JavaScript backdoor delivery and C&C
URL hxxps://45.150.109[.]151.sslip.io:23088 IceCube JavaScript backdoor delivery and C&C
URL hxxps://194.213.18[.]133.sslip.io:23088 IceCube JavaScript backdoor delivery and C&C
URL hxxp://45.86.229[.]111/slw:8080 VShell delivery URL
SHA256 a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0 IceCube stealer file hash

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.