Threat Intelligence

Suspected Chinese spies target universities with Roundcube exploit

China Bans Cyber Attacks: Examining Internet Security with Chinese Flag and Binary Data Through a Magnifying Glass Concept

As reported by The Register, suspected Chinese intelligence operatives have been actively compromising major universities in the United States and Canada since May, leveraging vulnerabilities in Roundcube mail servers to exfiltrate sensitive data from physics and engineering departments.

The threat actor, tracked by Proofpoint as UNK_MassTraction, exploits CVE-2024-42009, a cross-site scripting vulnerability in Roundcube, to gain initial access. This vulnerability allows attackers to steal credentials, session tokens, and cookies once a user opens a specially crafted email in the webmail client. The attackers then use a deserialization exploit, CVE-2025-49113, to install a webshell called SquareShell and a VShell implant, enabling remote code execution. Proofpoint observed "less than 10" universities directly targeted, but estimates the total number could be in the dozens. The targeted departments, focusing on areas like astrophysics and particle physics, suggest intelligence-gathering motives aligned with Beijing's goals.

The campaign's sophistication, including reconnaissance and the use of shared infrastructure with other China-aligned actors, indicates a moderately aware threat actor. The attack chain begins with generic phishing emails, potentially broadening the targeting scope beyond what Proofpoint has directly observed.

Source: The Register

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds