Home Risk & Resilience Suspected China Aligned Hackers Exploit Roundcube Vulnerabilities To Target University Email Systems

Suspected China Aligned Hackers Exploit Roundcube Vulnerabilities To Target University Email Systems

0
Suspected China Aligned Hackers Exploit Roundcube Vulnerabilities To Target University Email Systems

A suspected China aligned threat group has been observed exploiting critical vulnerabilities in Roundcube webmail software to target physics and engineering departments at universities in the United States and Canada, according to new research published by Proofpoint. The campaign, tracked under the name UNK_MassTraction, was first detected in May 2026 and primarily focused on administrators and professors associated with departments connected to national security research or advanced scientific fields such as astrophysics and particle physics. Researchers said the attackers exploited patched vulnerabilities in the open source email platform, including CVE 2024 42009, to steal user credentials before deploying either a web shell for persistent access or a post exploitation tool known as VShell. Proofpoint noted that the phishing emails were delivered using compromised sender accounts and domains that were vulnerable to spoofing because of weak DMARC policies, suggesting the campaign may have targeted a broader range of organizations beyond those directly identified in the investigation.

According to the report, the attack chain relied on a cross site scripting vulnerability that required recipients only to open a malicious email in the Roundcube client for the exploit to execute. Researchers believe the attackers conducted reconnaissance before launching the campaign, identifying organizations that were running vulnerable versions of Roundcube and tailoring phishing messages accordingly. The exploit executed arbitrary JavaScript code in the victim’s browser and delivered a payload called IceCube, which was designed to collect browser stored credentials, two factor authentication data, cookies, browser language settings, screen size, and form field information. The harvested data was then transmitted to an external server through an HTTP POST request. IceCube subsequently used the active session’s CSRF token to exploit another critical Roundcube vulnerability, CVE 2025 49113, enabling remote code execution on the mail server. Successful exploitation allowed the attackers to install either a memory resident web shell named SquareShell or VShell, providing long term access to compromised systems. If the deployment of SquareShell failed, the malware automatically shifted to an alternate infection method that executed a shell script through the same vulnerability to install VShell instead, increasing the reliability of the intrusion process.

Proofpoint researchers explained that the alternate deployment mechanism was introduced in June 2026 after earlier versions of the attack would terminate if SquareShell could not be installed. The shell script functions as a delivery mechanism for an ELF loader called SNOWLIGHT, which has previously been observed in campaigns linked to Chinese cyber activity. Researchers also noted that both SNOWLIGHT and VShell have been associated with the China linked cluster UNC5174, suggesting that some tools or techniques may be privately shared among multiple threat groups. IceCube also incorporates deferred triggers that monitor user behavior throughout the session. The malware watches for actions such as closing the browser tab, switching to another tab, moving the cursor outside the browser window, or selecting the logout option. Whenever one of these actions occurs, the malware attempts to exploit the remote code execution vulnerability again while notifying its command and control infrastructure that the user has left the active session. After completing its activities or reaching a timeout, the malicious JavaScript destroys both legitimate and attacker created sessions, forcing users to log out while reducing forensic evidence left on the Roundcube server.

Proofpoint stated that VShell is a remote administration tool written in Go that provides capabilities similar to Cobalt Strike and has been used by several China aligned threat groups in recent years. Researchers described this campaign as the first publicly documented instance in which a China linked hacking group has been associated with exploiting Roundcube vulnerabilities, a tactic previously more commonly attributed to Russian state sponsored operations. The company added that the campaign demonstrates a mature operational approach, combining reconnaissance, phishing, exploitation of known vulnerabilities, credential theft, persistence, and anti forensic techniques within a single attack chain. Proofpoint also emphasized that email servers should be treated as high value network assets and protected with the same level of attention as VPN gateways and other remote access infrastructure because they continue to represent attractive entry points for sophisticated cyber threat actors.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.