China-Linked Hackers Hit University Mail Servers via Roundcube
Proofpoint tracks UNK_MassTraction exploiting Roundcube flaws to target US and Canadian university physics departments. VShell post-exploitation tool deployed for persistent access.
A China-aligned threat cluster has been exploiting Roundcube webmail vulnerabilities to compromise university mail servers across the United States and Canada. Proofpoint, which tracks the activity under the name UNK_MassTraction, observed attackers targeting physics and engineering departments—particularly those with national security ties or research in astrophysics and particle physics.
The campaign marks the first documented case of Chinese threat actors exploiting Roundcube flaws, which have historically been abused by Russian state-sponsored groups. Activity was first detected in May 2026, with the most recent observed intrusion occurring in early June.
Targeted Departments and Scope
Proofpoint directly observed attacks against fewer than 10 universities but estimates the total target pool at several dozen institutions. The focus on physics research—specifically astrophysics and particle physics—suggests intelligence collection on dual-use technologies or academic research with defense applications.
Administrators and professors were the primary targets, with attackers seeking credentials that could provide access to sensitive research data, grant applications, and communications with government agencies.
Attack Chain
The intrusion begins with phishing emails using either compromised sender accounts or spoofed domains. These emails exploit two Roundcube vulnerabilities:
CVE-2024-42009 (CVSS 9.3): A cross-site scripting flaw that enables credential theft, 2FA token capture, and session cookie exfiltration. The exploit performs browser reconnaissance (language settings, screen dimensions, form field values) before stealing authentication data.
CVE-2025-49113 (CVSS 9.9): A post-authenticated remote code execution vulnerability used to deploy persistent access tools after initial compromise.
Attackers weaponized CSRF tokens and implemented "deferred triggers" that monitor user actions to time secondary exploitation for maximum stealth.
Post-Exploitation Toolkit
Once inside mail servers, UNK_MassTraction deploys two tools for persistent access:
SquareShell: A PHP web shell deployed via gadget chain exploitation, reachable at plugins/newmail_notifier/mail_preview.php. The shell executes arbitrary commands in memory, avoiding disk-based detection.
VShell: A Go-based remote administration tool providing "post-compromise capabilities similar to Cobalt Strike." This enables lateral movement, credential dumping, and long-term access maintenance.
Some intrusions also deployed SNOWLIGHT, an ELF loader that fetches architecture-compatible payloads for further exploitation on Linux mail servers.
Attribution Confidence
Proofpoint attributes the activity to a China-aligned cluster with medium-high confidence. The toolkit shows overlap with tools previously linked to UNC5174, though no direct operational connection has been established. Shell scripts and infrastructure patterns suggest shared resources among multiple Chinese threat actors.
The targeting of academic research institutions aligns with documented Chinese intelligence priorities around advanced technology acquisition. Universities often maintain weaker security than defense contractors while conducting research of equal strategic value.
Why Universities Are Vulnerable
Academic institutions face structural security challenges that make them attractive targets:
- Decentralized IT governance across departments
- Legacy systems maintained for research continuity
- Open collaboration culture that resists access restrictions
- Limited security staffing relative to attack surface
- Self-hosted email systems like Roundcube rather than enterprise cloud solutions
The Roundcube vulnerabilities exploited here were patched months ago, but university IT teams often lag behind on updates—particularly for systems that "still work."
Defensive Recommendations
- Patch Roundcube immediately if running versions vulnerable to CVE-2024-42009 or CVE-2025-49113
- Audit for SquareShell by checking for unexpected files at
plugins/newmail_notifier/mail_preview.php - Hunt for VShell indicators including unusual Go binaries and anomalous outbound connections
- Migrate to enterprise email where feasible—self-hosted webmail carries significant operational security burden
- Segment research networks to limit lateral movement from compromised mail servers
Organizations with phishing defense programs should update training to include scenarios mimicking academic communications and research collaboration requests.
Frequently Asked Questions
Which universities were compromised? Proofpoint has not named specific institutions. The company observed fewer than 10 universities directly compromised but estimates several dozen were targeted.
Are the Roundcube vulnerabilities still being actively exploited? Yes. Organizations running unpatched Roundcube instances remain at risk. The vulnerabilities have working exploits and clear targeting by sophisticated threat actors.
Related Articles
Chinese Hackers Stole US Defense, AI Data for 14 Months Undetected
Google TAG exposes UNC6508 campaign that compromised US and Canadian medical, academic, and military research labs since September 2023 using custom INFINITERED malware.
Jun 16, 2026Chinese APT Calypso Deploys Showboat and JFMBackdoor Against Telecoms
China-linked Calypso group targets telecoms across Middle East and Asia Pacific with new Linux and Windows malware. Showboat provides SOCKS5 proxy access; JFMBackdoor enables full system control.
May 22, 2026Silk Typhoon Hacker Extradited to U.S. for COVID Vaccine Theft
Chinese national Xu Zewei faces nine federal counts after extradition from Italy for alleged role in Silk Typhoon attacks stealing COVID-19 vaccine research from U.S. universities and research institutions.
Apr 28, 2026Phantom Taurus Deploys Net-Star Backdoors Across Africa
Unit 42 exposes Phantom Taurus, a Chinese APT targeting embassies and foreign ministries with fileless NET-STAR malware. The group resurfaces within hours after discovery.
Apr 4, 2026