One Email Closer to the Edge: UNK_MassTraction & the Physics of Exploitation

    Date: 07/08/2026

    Severity: High

    Summary

    Since May 2026, a suspected China-aligned threat cluster named UNK_MassTraction has targeted Roundcube mailservers. The campaign specifically targets physics and engineering departments at US and Canadian universities. High-value targets include entities with national security ties or those studying astrophysics and particle physics. Threat actors exploit multiple vulnerabilities, including the CVE-2024-42009 cross-site scripting flaw. Exploitation triggers automatically when a user opens the email, requiring no further interaction. Successful attacks steal credentials, install webshells, or deploy memory-resident VShell backdoors. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    https://45.150.109.151.sslip.io:23088/app/js/jquery.min.js

    https://194.213.18.133.sslip.io:23088/app/js/jquery.min.js

    https://45.150.109.151.sslip.io:23088

    https://194.213.18.133.sslip.io:23088

    http://45.86.229.111/slw:8080

    IP Address 

    45.150.109.151

    194.213.18.133

    45.86.229.111

    Hash 

    a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0

    Email Address 

    jpcontreras@newfield.cl

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://45.150.109.151.sslip.io:23088/app/js/jquery.min.js" or url like "https://45.150.109.151.sslip.io:23088/app/js/jquery.min.js" or siteurl like "https://45.150.109.151.sslip.io:23088/app/js/jquery.min.js" or domainname like "https://194.213.18.133.sslip.io:23088" or url like "https://194.213.18.133.sslip.io:23088" or siteurl like "https://194.213.18.133.sslip.io:23088" or domainname like "http://45.86.229.111/slw:8080" or url like "http://45.86.229.111/slw:8080" or siteurl like "http://45.86.229.111/slw:8080" or domainname like "https://194.213.18.133.sslip.io:23088/app/js/jquery.min.js" or url like "https://194.213.18.133.sslip.io:23088/app/js/jquery.min.js" or siteurl like "https://194.213.18.133.sslip.io:23088/app/js/jquery.min.js" or domainname like "https://45.150.109.151.sslip.io:23088" or url like "https://45.150.109.151.sslip.io:23088" or siteurl like "https://45.150.109.151.sslip.io:23088"

    Detection Query 2 :

    dstipaddress IN ("45.150.109.151","194.213.18.133","45.86.229.111") or srcipaddress IN ("45.150.109.151","194.213.18.133","45.86.229.111")

    Detection Query 3 :

    sha256hash IN ("a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0")

    Detection Query 4 :

    sender like "jpcontreras@newfield.cl" or recipient from like "jpcontreras@newfield.cl" or from like "jpcontreras@newfield.cl"

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation                


    Tags

    Credential HarvestingBackdoorMalwareThreat ActorVulnerabilityCVE - 2024ExploitEducationChinaUnited StatesCanadaVSHell

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags