INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Suspected Chinese Threat Targets Universities via Vulnerable Roundcube Servers

| 2026-07-07 15:40 MEDIUM LOW
Executive Summary AI-generated
The suspected China-aligned threat cluster has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada to steal credentials and establish network access. This is not an isolated incident, as previous campaigns have shown that China-aligned operators can gain unauthorized access to targeted organizations through internet-facing infrastructure, including edge devices and public-facing applications. Proofpoint found that VShell, a publicly available Go-based remote access tool, has previously been used by these operators across Windows, Linux and macOS environments. The attackers likely selected universities after identifying vulnerable Roundcube instances, compromising mail servers and using stolen credentials to gain server access rather than solely focusing on email data theft.
Technical Mitigations AI-generated
* Implement regular security updates and patches for vulnerable software, such as Roundcube, to prevent exploitation of known vulnerabilities. * Use a web application firewall (WAF) or intrusion detection system (IDS) to monitor incoming traffic and block suspicious activity on mail servers. * Conduct regular network scans using tools like Nmap or OpenVAS to identify potential entry points into the network that could be exploited by attackers. * Implement multi-factor authentication (MFA) for all users accessing email services, including Roundcube, to prevent unauthorized access even if credentials are stolen. * Regularly review and update phishing emails targeting universities with vulnerable systems, using techniques like social engineering or spear-phishing attacks.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
ShadowPadShadowPadCobalt StrikeCobalt Strike CVE-2024-42009CVE-2024-42009 CVE-2025-49113CVE-2025-49113
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎May 2026
Threat actors used compromised Roundcube servers to target universities in May 2026, primarily focusing on administrators and professors with national security ties or research interests.
‎June 7
Threat actors used compromised Roundcube servers to target physics and engineering departments at academic institutions.
‎June 2026
Threat actors used SquareShell to target universities via vulnerable Roundcube servers.
organisation SquareShell
‎2026/07/07
The suspected Chinese threat group used vulnerable Roundcube servers to burrow into universities via phishing emails that exploited CVE-2024-42009 and executed arbitrary JavaScript code in the victim's web browser.
infrastructure Roundcube
organisation CVE-2024-42009
organisation CVE-2025-49113
organisation VShell
infrastructure Windows
infrastructure Linux
infrastructure Macos
organisation ELF
organisation IceCube
organisation The Hacker News
organisation PHP
organisation CyberScoop
victims 10 university victims
Tactical Metrics
Metrics
infrastructure
‎Roundcube
Affected Product
Metrics
infrastructure
‎Windows
Affected Product
Metrics
infrastructure
‎Linux
Affected Product
Metrics
infrastructure
‎Macos
Affected Product
Metrics
victims
10
University Victims