PROBABLYPWNED
Threat IntelligenceJuly 13, 20264 min read

China-Linked Hackers Hit University Mail Servers via Roundcube

Proofpoint tracks UNK_MassTraction exploiting Roundcube flaws to target US and Canadian university physics departments. VShell post-exploitation tool deployed for persistent access.

Alex Kowalski

A China-aligned threat cluster has been exploiting Roundcube webmail vulnerabilities to compromise university mail servers across the United States and Canada. Proofpoint, which tracks the activity under the name UNK_MassTraction, observed attackers targeting physics and engineering departments—particularly those with national security ties or research in astrophysics and particle physics.

The campaign marks the first documented case of Chinese threat actors exploiting Roundcube flaws, which have historically been abused by Russian state-sponsored groups. Activity was first detected in May 2026, with the most recent observed intrusion occurring in early June.

Targeted Departments and Scope

Proofpoint directly observed attacks against fewer than 10 universities but estimates the total target pool at several dozen institutions. The focus on physics research—specifically astrophysics and particle physics—suggests intelligence collection on dual-use technologies or academic research with defense applications.

Administrators and professors were the primary targets, with attackers seeking credentials that could provide access to sensitive research data, grant applications, and communications with government agencies.

Attack Chain

The intrusion begins with phishing emails using either compromised sender accounts or spoofed domains. These emails exploit two Roundcube vulnerabilities:

CVE-2024-42009 (CVSS 9.3): A cross-site scripting flaw that enables credential theft, 2FA token capture, and session cookie exfiltration. The exploit performs browser reconnaissance (language settings, screen dimensions, form field values) before stealing authentication data.

CVE-2025-49113 (CVSS 9.9): A post-authenticated remote code execution vulnerability used to deploy persistent access tools after initial compromise.

Attackers weaponized CSRF tokens and implemented "deferred triggers" that monitor user actions to time secondary exploitation for maximum stealth.

Post-Exploitation Toolkit

Once inside mail servers, UNK_MassTraction deploys two tools for persistent access:

SquareShell: A PHP web shell deployed via gadget chain exploitation, reachable at plugins/newmail_notifier/mail_preview.php. The shell executes arbitrary commands in memory, avoiding disk-based detection.

VShell: A Go-based remote administration tool providing "post-compromise capabilities similar to Cobalt Strike." This enables lateral movement, credential dumping, and long-term access maintenance.

Some intrusions also deployed SNOWLIGHT, an ELF loader that fetches architecture-compatible payloads for further exploitation on Linux mail servers.

Attribution Confidence

Proofpoint attributes the activity to a China-aligned cluster with medium-high confidence. The toolkit shows overlap with tools previously linked to UNC5174, though no direct operational connection has been established. Shell scripts and infrastructure patterns suggest shared resources among multiple Chinese threat actors.

The targeting of academic research institutions aligns with documented Chinese intelligence priorities around advanced technology acquisition. Universities often maintain weaker security than defense contractors while conducting research of equal strategic value.

Why Universities Are Vulnerable

Academic institutions face structural security challenges that make them attractive targets:

  • Decentralized IT governance across departments
  • Legacy systems maintained for research continuity
  • Open collaboration culture that resists access restrictions
  • Limited security staffing relative to attack surface
  • Self-hosted email systems like Roundcube rather than enterprise cloud solutions

The Roundcube vulnerabilities exploited here were patched months ago, but university IT teams often lag behind on updates—particularly for systems that "still work."

Defensive Recommendations

  1. Patch Roundcube immediately if running versions vulnerable to CVE-2024-42009 or CVE-2025-49113
  2. Audit for SquareShell by checking for unexpected files at plugins/newmail_notifier/mail_preview.php
  3. Hunt for VShell indicators including unusual Go binaries and anomalous outbound connections
  4. Migrate to enterprise email where feasible—self-hosted webmail carries significant operational security burden
  5. Segment research networks to limit lateral movement from compromised mail servers

Organizations with phishing defense programs should update training to include scenarios mimicking academic communications and research collaboration requests.

Frequently Asked Questions

Which universities were compromised? Proofpoint has not named specific institutions. The company observed fewer than 10 universities directly compromised but estimates several dozen were targeted.

Are the Roundcube vulnerabilities still being actively exploited? Yes. Organizations running unpatched Roundcube instances remain at risk. The vulnerabilities have working exploits and clear targeting by sophisticated threat actors.

Related Articles