Hackers Exploit Roundcube Flaw to Spy on Academic Researchers
Proofpoint said fewer than 10 universities were confirmed hit as attackers used chained Roundcube flaws to steal credentials and keep long-term access.
- On Tuesday, Proofpoint researchers reported that a China-aligned group has compromised U.S. and Canadian university networks since May 2026, exploiting Roundcube email servers to steal sensitive data and establish persistent access.
- The espionage cluster, tracked as UNK_MassTraction, chains CVE-2024-42009 and CVE-2025-49113 to execute malicious JavaScript and install backdoors, bypassing traditional end-user targeting by compromising mail servers directly.
- Attackers deploy tools including IceCube, a PHP web shell called SquareShell, and a Go-based backdoor named VShell; researchers noted the code contains Chinese-language strings and may have been developed with large language model assistance.
- Proofpoint identified less than 10 confirmed university victims, though experts estimate a few dozen may be impacted, with attackers specifically targeting administrators and professors in physics, engineering, and national security departments.
- Organizations exposing Roundcube to the internet should verify patches are installed immediately and review mail server logs for signs of new or modified files to detect potential compromise.
12 Articles
12 Articles
Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities
China-aligned attackers broke into the networks of U.S. and Canadian universities to steal sensitive data and establish persistent access via webshells and backdoors, Proofpoint threat researchers said Tuesday. The espionage-motivated attacks targeted physics and engineering departments, focusing on administrators and professors with national security links or organizations researching astrophysics and particle physics. Proofpoint identified le…
A report reveals that hackers linked to China targeted the physics and engineering departments of Canadian universities.
Hackers Exploit Roundcube N-Day Flaws to Steal Credentials and Deploy VShell
A newly identified hacking campaign is targeting university mail servers by exploiting known but unpatched flaws in Roundcube webmail software. The attackers are using these gaps to quietly steal login credentials and plant a powerful backdoor called VShell deep inside compromised systems. The campaign, tracked under the name UNK_MassTraction, has been active since May 2026 and is aimed squarely at physics and engineering departments at major un…
An online spying group aligned with Beijing has launched an active campaign against at least ten universities in the United States and Canada, chaining two critical vulnerabilities of Roundcube mail client to steal credentials and establish persistent access.The attack, which exploits the CVE-2024-42009 and CVE-2025-49113, runs with just opening an email and has caught security teams by surprise, according to the report Proofpoint has just made …
Coverage Details
Bias Distribution
- 75% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium








