[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcspap6HR1NStEqthHvrZ4NaY_unOS_iOfX2kJH2OlKU":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"e1bad131-9852-46d4-8f4d-ea87195f7b8c","Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities","suspected-china-aligned-hackers-exploit-roundcube-flaws-against-universities-dea002","A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials,","A China-aligned threat group, tracked as UNK_MassTraction, is exploiting critical vulnerabilities in Roundcube webmail software at U.S. and Canadian universities. The campaign targets physics and engineering departments, aiming to steal credentials and deploy web shells or VShell for persistent access. The attackers leverage CVE-2024-42009 and CVE-2025-49113 to gain a foothold and exfiltrate data.","China-aligned hackers exploit Roundcube flaws against US\u002FCanadian universities.","Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities Ravie LakshmananJul 07, 2026Email Security \u002F Vulnerability A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials, followed by either the deployment of a web shell for persistent access or a known post-exploitation tool called VShell. The emerging threat cluster is being tracked by Proofpoint under the moniker UNK_MassTraction. It was first detected in May 2026, specifically focusing on administrators and professors in departments with either national security ties or entities studying astrophysics and particle physics. \"The emails targeting university departments used both compromised senders, as well as abused domains vulnerable to spoofing due to lax DMARC policy to send the emails,\" the enterprise security company wrote in a technical report shared with The Hacker News, adding the use of generic lures indicates a \"larger targeting swath\" beyond its visibility. While the nature of the cross-site scripting (XSS) exploit is such that it only requires the recipient to open the email in the Roundcube client in order to obtain access to the mail server, it's assessed that the targeted departments were singled out because they were all running versions of Roundcube susceptible to N-day security flaws. This indicates that the threat actor likely carried out preparatory reconnaissance into these targets to gather information about their environments prior to sending phishing emails that trigger an exploit for CVE-2024-42009 and execute arbitrary JavaScript code in the context of the victim's web browser. \"The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection,\" Proofpoint researchers Greg Lesnewich and Mark Kelly said. The payload delivered following the exploitation of the XSS flaw, codenamed IceCube, is designed to siphon credential information stored in the browser along with two-factor authentication (2FA) and cookies. It also carries out reconnaissance of its own to collect information about the browser language, screen size, and form field values. screen size, and form field values. The harvested information is sent to an external system by means of an HTTP POST request. In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube - CVE-2025-49113 (CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory. The web shell, deployed by means of a PHP gadget shell command, is remotely reachable at the endpoint \"plugins\u002Fnewmail_notifier\u002Fmail_preview.php\" and enables arbitrary code execution. However, if the web shell installation fails for some reason, the attack chain falls back to an alternate mechanism in which a shell script is executed via the Roundcube vulnerability to ultimately deliver VShell. The secondary method is said to have been introduced in June 2026, when previously the attack chain would simply exit upon failing to deploy SquareShell. The shell script acts as a conduit for an ELF loader referred to as SNOWLIGHT and has been put to use in other intrusions orchestrated by Chinese adversaries. The use of both SNOWLIGHT and VShell has been linked to a China-linked cluster tracked as UNC5174 in the past. This suggests that the shell script is possibly shared by multiple China-nexus clusters in a private capacity, similar to ShadowPad and other tools. The script's main responsibility is to fetch a version of SNOWLIGHT that's compatible with the host's system architecture and then execute it. \"IceCube also sets up what it calls 'deferred triggers' to ensure continuance of the infection chain,\" Proofpoint said. \"The deferred triggers monitor if the user closes the page or changes tabs, checks if the mouse leaves the browser window, and hijacks the logout button.\" \"If any of those actions are taken, IceCube hooks those events, and re-attempts exploitation of CVE-2025-49113, and beacons to the C&C [command-and-control] that the user left the Roundcube session.\" Upon completing these actions or running into a timeout, the JavaScript malware destroys user and malware-initiated sessions on the server, causing the user to log out and erase forensic evidence associated with the compromise from the Roundcube server. Written in Go, VShell is a remote administration tool that provides post-compromise capabilities similar to Cobalt Strike. It has been utilized by various China-aligned adversaries in recent years. The development marks the first time a Chinese hacking group has been tied to the exploitation of Roundcube flaws, which have been traditionally abused by state-sponsored threat actors from Russia. \"While the targeting of this campaign is captivating to the imagination, it is unlikely that UNK_MassTraction will be solving deep theoretical physics questions or the Fermi Paradox in the near future,\" Proofpoint researchers concluded. \"UNK_MassTraction displayed a mature toolkit and unique usage of n-day vulnerabilities. The campaign is a reminder that email delivery can facilitate compromise of the mail server, and that Chinese operators will continue to treat them like any other edge device, so defenders should prioritize defending the mail servers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, Cyber Attack, email security, Malware, remote code execution, Vulnerability, Web Security ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fsuspected-china-aligned-hackers-exploit.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEitErUXjxgvdr7CLGa67wtfentIJSFkobxbyIMtQNK4mzNTyf_3Mq9mckQNCGONMFqVaCvkvNKf7FqJfevWKstiWEOxt5wDlV_Fus-Ob3bo9vkMb3m5natJZjHhG-0r4FbH5UUBP4aiGtLcJ7mFIIwLw7IPIHOqw5ln1kAC_ZsiOvllGmVXws4bCXBGugBu\u002Fs1600\u002Fserver-hacker.jpg","2026-07-07T09:10:51+00:00","2026-07-07T10:00:04.209437+00:00",9,[18,21,23,26,29],{"name":19,"type":20},"UNK_MassTraction","threat_actor",{"name":22,"type":20},"UNC5174",{"name":24,"type":25},"Roundcube","product",{"name":27,"type":28},"Proofpoint","vendor",{"name":30,"type":31},"webmail","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":32,"icon":34,"name":35,"slug":36},null,"Nation-state","nation-state",[38,40,45,50],{"category":39},{"id":32,"icon":34,"name":35,"slug":36},{"category":41},{"id":42,"icon":34,"name":43,"slug":44},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,60,63,67,70,73],{"type":57,"value":58,"context":59},"cve","CVE-2024-42009","Exploited Roundcube vulnerability (CVSS 9.3)",{"type":57,"value":61,"context":62},"CVE-2025-49113","Second Roundcube vulnerability exploited for RCE (CVSS 9.9)",{"type":64,"value":65,"context":66},"malware","IceCube","Payload for credential theft and reconnaissance",{"type":64,"value":68,"context":69},"VShell","Post-exploitation tool for persistent access",{"type":64,"value":71,"context":72},"SquareShell","Web shell deployed for arbitrary code execution",{"type":64,"value":74,"context":75},"SNOWLIGHT","ELF loader used in intrusions by Chinese adversaries"]