Skip to main content
institutional access

You are connecting from
Lake Geneva Public Library,
please login or register to take advantage of your institution's Ground News Plan.

Published loading...Updated

Hackers Exploit Roundcube Flaw to Spy on Academic Researchers

Proofpoint said fewer than 10 universities were confirmed hit as attackers used chained Roundcube flaws to steal credentials and keep long-term access.

  • On Tuesday, Proofpoint researchers reported that a China-aligned group has compromised U.S. and Canadian university networks since May 2026, exploiting Roundcube email servers to steal sensitive data and establish persistent access.
  • The espionage cluster, tracked as UNK_MassTraction, chains CVE-2024-42009 and CVE-2025-49113 to execute malicious JavaScript and install backdoors, bypassing traditional end-user targeting by compromising mail servers directly.
  • Attackers deploy tools including IceCube, a PHP web shell called SquareShell, and a Go-based backdoor named VShell; researchers noted the code contains Chinese-language strings and may have been developed with large language model assistance.
  • Proofpoint identified less than 10 confirmed university victims, though experts estimate a few dozen may be impacted, with attackers specifically targeting administrators and professors in physics, engineering, and national security departments.
  • Organizations exposing Roundcube to the internet should verify patches are installed immediately and review mail server logs for signs of new or modified files to detect potential compromise.
Insights by Ground AI

12 Articles

Lean Left

A report reveals that hackers linked to China targeted the physics and engineering departments of Canadian universities.

·Montreal, Canada
Read Full Article

An online spying group aligned with Beijing has launched an active campaign against at least ten universities in the United States and Canada, chaining two critical vulnerabilities of Roundcube mail client to steal credentials and establish persistent access.The attack, which exploits the CVE-2024-42009 and CVE-2025-49113, runs with just opening an email and has caught security teams by surprise, according to the report Proofpoint has just made …

Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 75% of the sources are Center
75% Center

Factuality Info Icon

To view factuality data please Upgrade to Premium

Ownership

Info Icon

To view ownership data please Upgrade to Vantage

Radio-Canada broke the news in Montreal, Canada on Tuesday, July 7, 2026.
Too Big Arrow Icon
Sources are mostly out of (0)

Similar News Topics

News
Feed Dots Icon
For You
Search Icon
Search
Blindspot LogoBlindspotLocal