INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Suspected Chinese Threat Targets Universities via Vulnerable Roundcube Servers
| 2026-07-07 15:40 MEDIUM LOWExecutive Summary AI-generated
The suspected China-aligned threat cluster has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada to steal credentials and establish network access. This is not an isolated incident, as previous campaigns have shown that China-aligned operators can gain unauthorized access to targeted organizations through internet-facing infrastructure, including edge devices and public-facing applications. Proofpoint found that VShell, a publicly available Go-based remote access tool, has previously been used by these operators across Windows, Linux and macOS environments. The attackers likely selected universities after identifying vulnerable Roundcube instances, compromising mail servers and using stolen credentials to gain server access rather than solely focusing on email data theft.
Technical Mitigations AI-generated
* Implement regular security updates and patches for vulnerable software, such as Roundcube, to prevent exploitation of known vulnerabilities.
* Use a web application firewall (WAF) or intrusion detection system (IDS) to monitor incoming traffic and block suspicious activity on mail servers.
* Conduct regular network scans using tools like Nmap or OpenVAS to identify potential entry points into the network that could be exploited by attackers.
* Implement multi-factor authentication (MFA) for all users accessing email services, including Roundcube, to prevent unauthorized access even if credentials are stolen.
* Regularly review and update phishing emails targeting universities with vulnerable systems, using techniques like social engineering or spear-phishing attacks.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
ShadowPadShadowPadCobalt StrikeCobalt Strike
CVE-2024-42009CVE-2024-42009
CVE-2025-49113CVE-2025-49113
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
May 2026
Threat actors used compromised Roundcube servers to target universities in May 2026, primarily focusing on administrators and professors with national security ties or research interests.
June 7
Threat actors used compromised Roundcube servers to target physics and engineering departments at academic institutions.
June 2026
Threat actors used SquareShell to target universities via vulnerable Roundcube servers.
Click on any entity below to view its context and source!
organisation
SquareShell
The secondary method is said to have been introduced in June 2026, when previously the attack chain would simply exit upon failing to deploy SquareShell.
2026/07/07
The suspected Chinese threat group used vulnerable Roundcube servers to burrow into universities via phishing emails that exploited CVE-2024-42009 and executed arbitrary JavaScript code in the victim's web browser.
Click on any entity below to view its context and source!
infrastructure
Roundcube
A suspected China-aligned threat cluster has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada to steal credentials and establish network access.
Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities.
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign.
The development marks the first time a Chinese hacking group has been tied to the exploitation of Roundcube flaws, which have been
traditionally
abused
by
state-sponsored threat actors
from Russia.
Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities.
Roundcube Servers Used as Network Entry Points
Proofpoint found that UNK_MassTraction used phishing emails containing malicious content designed to exploit CVE-2024-42009, a cross-site scripting (XSS) vulnerability in Roundcube.
Suspected Chinese Threat Group Targets Universities via Vulnerable Roundcube Servers.
Proofpoint assessed that the attackers likely selected these organizations after identifying vulnerable Roundcube instances.
The campaign used multiple known Roundcube vulnerabilities to compromise mail servers, using stolen credentials and server access as a pathway into victim networks rather than focusing solely on email data theft.
The firm observed the attackers using a range of techniques during the infection chain, including:
Credential theft through malicious JavaScript payloads
Server-side exploitation of vulnerable Roundcube components
Deployment of webshells for remote access
Memory-based execution of the VShell backdoor
Attackers Deploy VShell For Follow-On Access
After gaining access to Roundcube servers, UNK_MassTraction exploited CVE-2025-49113, a deserialization vulnerability, to deploy a webshell or install the VShell backdoor in memory.
While the nature of the cross-site scripting (XSS) exploit is such that it only requires the recipient to open the email in the Roundcube client in order to obtain access to the mail server, it's assessed that the targeted departments were singled out because they were all running versions of Roundcube susceptible to N-day security flaws.
"The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection," Proofpoint researchers Greg Lesnewich and Mark Kelly said.
In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube -
CVE-2025-49113
(CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
However, if the web shell installation fails for some reason, the attack chain falls back to an alternate mechanism in which a shell script is executed via the Roundcube vulnerability to ultimately deliver
VShell
.
"If any of those actions are taken, IceCube hooks those events, and re-attempts exploitation of CVE-2025-49113, and beacons to the C&C [command-and-control] that the user left the Roundcube session.
"
Upon completing these actions or running into a timeout, the JavaScript malware destroys user and malware-initiated sessions on the server, causing the user to log out and erase forensic evidence associated with the compromise from the Roundcube server.
Researchers traced the attacks to a pair of critical vulnerabilities in Roundcube, an open-source email client, that were exploited and chained together to steal credentials and gain long-term access.
organisation
CVE-2024-42009
Roundcube Servers Used as Network Entry Points
Proofpoint found that UNK_MassTraction used phishing emails containing malicious content designed to exploit CVE-2024-42009, a cross-site scripting (XSS) vulnerability in Roundcube.
This indicates that the threat actor likely carried out preparatory reconnaissance into these targets to gather information about their environments prior to sending phishing emails that trigger an exploit for CVE-2024-42009 and execute arbitrary JavaScript code in the context of the victim's web browser.
The threat cluster, which Proofpoint tracks as UNK_MassTraction, exploited
CVE-2024-42009
to execute JavaScript inside the victim’s browser, then exploited
CVE-2025-49113
to gain a foothold in the mailserver.
organisation
CVE-2025-49113
The firm observed the attackers using a range of techniques during the infection chain, including:
Credential theft through malicious JavaScript payloads
Server-side exploitation of vulnerable Roundcube components
Deployment of webshells for remote access
Memory-based execution of the VShell backdoor
Attackers Deploy VShell For Follow-On Access
After gaining access to Roundcube servers, UNK_MassTraction exploited CVE-2025-49113, a deserialization vulnerability, to deploy a webshell or install the VShell backdoor in memory.
"If any of those actions are taken, IceCube hooks those events, and re-attempts exploitation of CVE-2025-49113, and beacons to the C&C [command-and-control] that the user left the Roundcube session.
The threat cluster, which Proofpoint tracks as UNK_MassTraction, exploited
CVE-2024-42009
to execute JavaScript inside the victim’s browser, then exploited
CVE-2025-49113
to gain a foothold in the mailserver.
organisation
VShell
The firm observed the attackers using a range of techniques during the infection chain, including:
Credential theft through malicious JavaScript payloads
Server-side exploitation of vulnerable Roundcube components
Deployment of webshells for remote access
Memory-based execution of the VShell backdoor
Attackers Deploy VShell For Follow-On Access
After gaining access to Roundcube servers, UNK_MassTraction exploited CVE-2025-49113, a deserialization vulnerability, to deploy a webshell or install the VShell backdoor in memory.
In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube -
CVE-2025-49113
(CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
Proofpoint attributes the campaign to a China-aligned cluster because the attackers used a known covert network used by multiple China-aligned threat groups, an infection chain leading to VShell and left Chinese language artifacts in the phishing emails.
infrastructure
Windows
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments.
infrastructure
Linux
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments.
infrastructure
Macos
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments.
organisation
ELF
The shell script acts as a conduit for an ELF loader referred to as
SNOWLIGHT
and has been put to use in other intrusions orchestrated by Chinese adversaries.
organisation
IceCube
The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data.
The payload delivered following the exploitation of the XSS flaw, codenamed IceCube, is designed to siphon credential information stored in the browser along with two-factor authentication (2FA) and cookies.
organisation
The Hacker News
"The emails targeting university departments used both compromised senders, as well as abused domains vulnerable to spoofing due to lax DMARC policy to send the emails," the enterprise security company wrote in a technical
report
shared with The Hacker News, adding the use of generic lures indicates a "larger targeting swath" beyond its visibility.
organisation
PHP
The web shell, deployed by means of a PHP gadget shell command, is remotely reachable at the endpoint "plugins/newmail_notifier/mail_preview.php" and enables arbitrary code execution.
organisation
CyberScoop
Proofpoint identified less than 10 university victims and estimates a few dozen universities may be impacted, Greg Lesnewich, principal threat researcher at Proofpoint, told CyberScoop.
victims
10 university victims
Proofpoint identified less than 10 university victims and estimates a few dozen universities may be impacted, Greg Lesnewich, principal threat researcher at Proofpoint, told CyberScoop.
Tactical Metrics
Metrics
infrastructure
Roundcube
Affected Product
Click for context!
A suspected China-aligned threat cluster has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada to steal credentials and establish network access.
Roundcube Servers Used as Network Entry Points
Proofpoint found that UNK_MassTraction used phishing emails containing malicious content designed to exploit CVE-2024-42009, a cross-site scripting (XSS) vulnerability in Roundcube.
Suspected Chinese Threat Group Targets Universities via Vulnerable Roundcube Servers.
Proofpoint assessed that the attackers likely selected these organizations after identifying vulnerable Roundcube instances.
The campaign used multiple known Roundcube vulnerabilities to compromise mail servers, using stolen credentials and server access as a pathway into victim networks rather than focusing solely on email data theft.
The firm observed the attackers using a range of techniques during the infection chain, including:
Credential theft through malicious JavaScript payloads
Server-side exploitation of vulnerable Roundcube components
Deployment of webshells for remote access
Memory-based execution of the VShell backdoor
Attackers Deploy VShell For Follow-On Access
After gaining access to Roundcube servers, UNK_MassTraction exploited CVE-2025-49113, a deserialization vulnerability, to deploy a webshell or install the VShell backdoor in memory.
Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities.
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign.
The development marks the first time a Chinese hacking group has been tied to the exploitation of Roundcube flaws, which have been
traditionally
abused
by
state-sponsored threat actors
from Russia.
While the nature of the cross-site scripting (XSS) exploit is such that it only requires the recipient to open the email in the Roundcube client in order to obtain access to the mail server, it's assessed that the targeted departments were singled out because they were all running versions of Roundcube susceptible to N-day security flaws.
"The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection," Proofpoint researchers Greg Lesnewich and Mark Kelly said.
In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube -
CVE-2025-49113
(CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
However, if the web shell installation fails for some reason, the attack chain falls back to an alternate mechanism in which a shell script is executed via the Roundcube vulnerability to ultimately deliver
VShell
.
"If any of those actions are taken, IceCube hooks those events, and re-attempts exploitation of CVE-2025-49113, and beacons to the C&C [command-and-control] that the user left the Roundcube session.
"
Upon completing these actions or running into a timeout, the JavaScript malware destroys user and malware-initiated sessions on the server, causing the user to log out and erase forensic evidence associated with the compromise from the Roundcube server.
Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities.
Researchers traced the attacks to a pair of critical vulnerabilities in Roundcube, an open-source email client, that were exploited and chained together to steal credentials and gain long-term access.
Metrics
infrastructure
Windows
Affected Product
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments.
Metrics
infrastructure
Linux
Affected Product
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments.
Metrics
infrastructure
Macos
Affected Product
Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments.
Metrics
victims
10
University Victims
Proofpoint identified less than 10 university victims and estimates a few dozen universities may be impacted, Greg Lesnewich, principal threat researcher at Proofpoint, told CyberScoop.
Intelligence Sources
Infosecurity-Magazine
2026-07-07
Suspected Chinese Threat Group Targets Universities via Vulnerable Roundcube Servers
Infosecurity-Magazine
The Hacker News
2026-07-07
CyberScoop
2026-07-07
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-08T06:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
11x
organisation
Identified Entity
CVE-2024-42009
entity
5x
tactic
Cyber Operation Type
Phishing
tactic
4x
infrastructure
Affected Product
Roundcube
software
3x
source region
Origin Country
China
country
3x
timeline
Temporal Reference
June 7
date
2x
target region
Target Country
Canada
country
2x
vulnerability
Exploited CVE
CVE-2024-42009
cve
2x
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
2x
general metric
Score
9
score
Contextual Telemetry
Context Block
3 METRICS
malware
Malware Payload
ShadowPad
tool
malware
Offensive Tool
Cobalt Strike
tool
victims
University Victims
10
university victims
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.