China-Aligned Hackers Exploit Roundcube Servers at Universities  | eSecurity Planet

China-Aligned Hackers Exploit Roundcube Servers at Universities 

Proofpoint uncovered a suspected China-aligned campaign targeting vulnerable Roundcube mail servers.

Written By
Ken Underhill
Ken Underhill
Jul 8, 2026
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Proofpoint has identified a suspected China-aligned threat actor exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and gain persistent access. 

Rather than targeting email content alone, the campaign appears designed to use compromised mail servers as an entry point into broader institutional networks.

Proofpoint tracks the activity cluster as UNK_MassTraction, a temporary designation used for emerging threat clusters that have not yet been assigned a formal threat actor identifier. 

Since May 2026, the group has targeted physics and engineering departments, particularly those involved in astrophysics, particle physics, and research with national security connections.

Key Takeaways of the Proofpoint Research

  • A suspected China-aligned threat actor exploited multiple Roundcube vulnerabilities to steal credentials and establish persistent access to university mail servers.
  • The campaign targeted vulnerable Roundcube servers at U.S. and Canadian universities, using compromised mail servers as a gateway into broader institutional networks.
  • Attackers combined credential theft, webshell deployment, and the VShell backdoor to maintain access while employing multiple techniques to evade detection. 

How Roundcube vulnerabilities enabled multi-stage attacks 

The campaign exploits multiple previously disclosed Roundcube vulnerabilities to compromise webmail servers. 

The attack begins with CVE-2024-42009, a cross-site scripting (XSS) flaw that allows malicious JavaScript to execute when a victim simply opens a specially crafted email in a vulnerable Roundcube webmail client.

Once executed, the JavaScript loader deploys a credential-stealing payload that Proofpoint calls IceCube. 

The malware collects usernames, passwords, session cookies, two-factor authentication material, and browser reconnaissance data before transmitting the information to command-and-control (C2) infrastructure.

IceCube then leverages a second vulnerability, CVE-2025-49113, to gain server-side access by exploiting a deserialization flaw. 

Depending on the environment, the malware either installs a webshell known as SquareShell or loads the VShell backdoor directly into memory, providing attackers with persistent access while minimizing forensic evidence.

Proofpoint noted that the malware appears intentionally engineered to evade detection by cleaning up browser artifacts, monitoring user activity, retrying failed exploitation attempts, and destroying active sessions after compromise.

Advertisement

Why universities were targeted in the Roundcube campaign 

Although the phishing lures were generic, Proofpoint believes the campaign’s targets were anything but random.

The researchers observed attacks against physics and engineering departments at major U.S. and Canadian universities that were running vulnerable versions of Roundcube. 

This suggests the threat actor conducted reconnaissance before launching the campaign to identify organizations susceptible to the exploits.

While the emails primarily targeted professors and administrators, Proofpoint noted that the exploit only required recipients to open the email in a vulnerable Roundcube webmail client. 

As a result, the specific recipient may have been less important than gaining access to the underlying mail server. 

How attackers use mail servers as network pivot points 

Unlike attacks focused on stealing email content, UNK_MassTraction appears to treat mail servers as network edge devices that provide an opportunity to move deeper into victim environments.

VShell, the publicly available backdoor deployed during some infections, supports interactive command execution and port forwarding, capabilities commonly used to pivot through compromised networks. 

Proofpoint noted that several China-aligned threat groups have previously adopted VShell during intrusions targeting Linux, Windows, and macOS systems.

The researchers also observed mature operational security throughout the campaign. 

This included timestomping webshells to blend into legitimate files, fallback mechanisms to maintain the infection chain if exploitation failed, and extensive logging designed to help operators troubleshoot unsuccessful compromises. 

Advertisement

How defenders should secure Roundcube mail servers 

The campaign highlights why internet-facing mail servers require the same level of protection as VPN gateways and other remote access infrastructure.

Organizations running Roundcube should apply available patches and monitor webmail environments for unusual authentication activity. 

They should also inspect systems for unauthorized webshells and review server logs for evidence of exploitation attempts. 

Security teams should also implement phishing-resistant multifactor authentication, continuously monitor privileged accounts, and restrict administrative access.

Proofpoint assesses with moderate confidence that UNK_MassTraction is a China-aligned espionage group based on its infrastructure, use of VShell, targeting patterns, and Chinese-language artifacts observed during the campaign.

The research serves as a reminder that email infrastructure remains an attractive target for advanced threat actors. 

As attackers continue targeting internet-facing infrastructure, organizations are implementing Zero Trust solutions to continuously verify identities, enforce least-privilege access, and reduce the risk of lateral movement. 

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.