Suspected China-Aligned Hackers Exploit Roundcube Flaws at North American Universities

by

Suspected China-aligned hackers targeted Roundcube webmail installations at physics and engineering departments in U.S. and Canadian universities in a campaign first detected in May 2026, using patched vulnerabilities to steal credentials and gain persistent access.

KEY FACTS

  • Targeting Administrators and professors in departments tied to national security, astrophysics and particle physics.
  • Initial access Phishing emails abused Roundcube flaws, including CVE-2024-42009, to run JavaScript in the victim’s browser.
  • Follow-on payloads The campaign used a tool called IceCube, then attempted to deploy VShell or a web shell.
  • Detection Proofpoint tracks the activity as UNK_MassTraction.

Proofpoint’s technical analysis said the emails came from compromised senders and spoofed domains with weak DMARC policies. The campaign used generic lures, which suggested a broader target set than the company could directly observe.

The attack chain began with a cross-site scripting flaw that only required a recipient to open the message in Roundcube. Once inside, the malware tried to steal stored credentials, two-factor authentication data and cookies, while also collecting browser details such as language and screen size.

The stolen information was sent to an external system by HTTP POST request. The malware then used a CSRF token to trigger a second flaw, CVE-2025-49113, in an effort to drop VShell or a web shell called SquareShell in memory.

The report said a fallback method added in June 2026 could launch a shell script that fetched SNOWLIGHT, an ELF loader used in other China-linked intrusions. The code also used deferred triggers to keep the infection alive if the user closed the page, changed tabs or moved the mouse out of the browser window.

After exploitation, the malware deleted user and attacker sessions on the server, which forced a logout and removed some forensic evidence. The discovery is the first public link between a Chinese hacking group and the abuse of Roundcube flaws, which have previously been used by other state-backed actors.

WHY IT MATTERS

The campaign shows how email systems can be used as entry points into wider networks, especially when servers are running vulnerable software. It also highlights the need to secure mail servers with the same care given to VPNs and other remote access systems.