Skip to main content
Emerging ThreatsMalware & Ransomware

China-Aligned Hackers Exploit Roundcube Servers at US, Canada Universities

University campus scene with a building and clock tower, hint of computer equipment in foreground.

"The campaign is a reminder that email delivery can facilitate compromise of mail servers, and that Chinese operators will continue to treat them like any other edge device," Proofpoint warned.

What Proofpoint documented on June 7

On June 7, Proofpoint published research tracing a suspected China-aligned cluster it labeled UNK_MassTraction. The firm reported the cluster was exploiting vulnerable Roundcube webmail servers at universities in the United States and Canada. Proofpoint said the operators targeted physics and engineering departments at academic institutions that have potential links to national security, and that attackers likely selected those organizations after identifying exposed Roundcube instances.

Two CVEs used as the entry and persistence vectors: CVE-2024-42009 and CVE-2025-49113

Proofpoint observed the campaign chaining two known Roundcube vulnerabilities. The first, CVE-2024-42009, is a cross-site scripting (XSS) flaw that attackers exploited via phishing emails containing malicious content. When executed in a vulnerable Roundcube webmail client, the exploit allowed attacker-controlled JavaScript to run in victims’ browsers. The second, CVE-2025-49113, is a deserialization vulnerability Proofpoint said operators leveraged after initial access to deploy a webshell or install a backdoor in memory.

IceCube, webshells and VShell: tools and techniques in the infection chain

Proofpoint tracked the malicious JavaScript payload used in the XSS phase as IceCube. According to the firm, IceCube stole usernames, passwords, cookies and other authentication data, gathered information about victims’ environments, and used stolen session data to continue the compromise. Across the observed incidents, Proofpoint reported a range of techniques: credential theft through malicious JavaScript, server-side exploitation of vulnerable Roundcube components, deployment of webshells for remote access, and memory-based execution of the VShell backdoor.

Proofpoint described VShell as a publicly available, Go-based remote access tool. The firm noted VShell has previously been used by China-aligned operators across Windows, Linux and macOS environments. In Proofpoint’s assessment, VShell’s interactive shell access and port-forwarding capabilities support deeper movement inside compromised networks once attackers have footholds on mail servers.

Targeting and intent: why these academic departments

Proofpoint assessed the campaign's objectives as espionage-focused. The firm based that judgment on the choice of targets—physics and engineering departments at U.S. and Canadian universities—along with infrastructure links and the presence of Chinese language artifacts in some phishing emails. Proofpoint also emphasized that the campaign used stolen credentials and direct server access as a pathway into victim networks rather than merely extracting email content.

What this means for university IT teams, policymakers and security vendors

  • University IT teams: Proofpoint’s findings point to mail servers—specifically internet-facing Roundcube instances—as viable network entry points. IT teams will need to inventory exposed webmail instances and treat mail servers as remote-access nodes worthy of the same scrutiny given to VPN concentrators, the firm warned.
  • Policymakers and regulators: The targeting of academic departments with potential ties to national security may prompt attention to how universities manage internet-facing applications and how disclosures of critical vulnerabilities are acted upon across higher education networks.
  • Security vendors and incident responders: The use of IceCube for browser-based credential theft and VShell for in-memory persistence highlights a combination of client-side and server-side capabilities that defenders should monitor for, Proofpoint’s report implies.

Proofpoint’s report underscores a practical point in its own words: defenders should prioritize protecting mail servers "as thoroughly as they do their VPN concentrators and other remote access nodes on their networks." The firm’s documentation of UNK_MassTraction’s chain—phishing to exploit CVE-2024-42009, JavaScript-based credential capture via IceCube, server exploitation of Roundcube, and memory-resident VShell for follow-on access—frames mail servers not simply as repositories of email, but as potential beachheads for espionage-oriented intrusions.

Original story