Threat Advisory

UNK MassTraction Campaign Utilizes Phishing Emails to Deliver VShell Backdoor

Threat: Malicious Camaign
Targeted Region: U.S., Canada
Targeted Sector: Technology & IT, Education
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A cyber espionage cluster tracked as UNK MassTraction has been observed targeting vulnerable Roundcube webmail servers associated with physics and engineering departments at universities in the United States and Canada. The campaign uses email-based exploitation techniques to compromise mail servers, steal sensitive authentication data, and establish persistent access within targeted environments by exploiting vulnerabilities including CVE-2024-42009 and CVE-2025-49113. The attackers appear to leverage compromised or spoofed email infrastructure to deliver specially crafted messages designed to exploit weaknesses in Roundcube installations.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A cyber espionage cluster tracked as UNK MassTraction has been observed targeting vulnerable Roundcube webmail servers associated with physics and engineering departments at universities in the United States and Canada. The campaign uses email-based exploitation techniques to compromise mail servers, steal sensitive authentication data, and establish persistent access within targeted environments by exploiting vulnerabilities including CVE-2024-42009 and CVE-2025-49113. The attackers appear to leverage compromised or spoofed email infrastructure to deliver specially crafted messages designed to exploit weaknesses in Roundcube installations.[emaillocker id="1283"]

The attacks begin with phishing emails containing exploits for multiple Roundcube vulnerabilities, including an XSS flaw that enabled JavaScript execution when victims opened the email through a vulnerable webmail interface. The executed JavaScript, identified as IceCube, was designed to steal browser data, authentication information, cookies, credentials, and session tokens. After gaining access, the attacks exploited additional Roundcube vulnerabilities to deploy a webshell named SquareShell or execute the VShell backdoor directly in server memory. VShell provided remote access capabilities, including command execution and network pivoting functions, allowing further movement within compromised environments. The campaign also demonstrated evasion techniques such as cleanup mechanisms, session manipulation, and fallback execution methods to maintain access while reducing forensic visibility.

The UNK_MassTraction campaign highlights the risk of exposed email infrastructure being used as an entry point for broader network compromise. By combining phishing techniques, exploitation of unpatched Roundcube vulnerabilities, credential theft, and backdoor deployment, the attackers were able to transform mail servers into strategic access points for espionage operations. Organizations operating internet-facing mail systems should prioritize vulnerability management, apply security updates, monitor suspicious email activity, and strengthen detection capabilities to reduce the risk of similar attacks.

 

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial Access T1566.002 Phishing Spearphishing Link
T1190 Exploit Public-Facing Application
Execution T1059.004 Command and Scripting Interpreter Unix Shell
T1059.007 JavaScript
Persistence T1505.003 Server Software Component Web Shell
Credential Access T1552.004 Unsecured Credentials Private Keys
T1555.003 Credentials from Password Stores Credentials from Web Browsers
T1539 Steal Web Session Cookie
Discovery T1087.003 Account Discovery Email Account
T1082 System Information Discovery
Collection T1114.002 Email Collection Remote Email Collection
T1056.003 Input Capture Web Portal Capture
Command and Control T1071.001 Application Layer Protocol Web Protocols
T1105 Ingress Tool Transfer
T1573.001 Encrypted Channel Symmetric Cryptography
Exfiltration T1041 Exfiltration Over C2 Channel

 

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/unk-masstraction-roundcube-vshell/

https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation

[/emaillocker]
crossmenu