Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Phishing Attacks Targeted Facebook Users With Fake Verification Offer

July 7, 2026

Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

July 7, 2026

Suspected Chinese Threat Group Targets Universities

July 7, 2026
Facebook X (Twitter) Instagram
Tuesday, July 7
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Suspected Chinese Threat Group Targets Universities
News

Suspected Chinese Threat Group Targets Universities

Team-CWDBy Team-CWDJuly 7, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A suspected China-aligned threat cluster has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada to steal credentials and establish network access.

New research from Proofpoint, published on June 7, tracked the activity under the name UNK_MassTraction and found that attackers were targeting physics and engineering departments at academic institutions with potential links to national security.

Proofpoint assessed that the attackers likely selected these organizations after identifying vulnerable Roundcube instances.

The campaign used multiple known Roundcube vulnerabilities to compromise mail servers, using stolen credentials and server access as a pathway into victim networks rather than focusing solely on email data theft.

The activity follows previous campaigns in which China-aligned operators exploited internet-facing infrastructure to gain access to targeted organizations, including attacks involving vulnerable edge devices and public-facing applications.

Roundcube Servers Used as Network Entry Points

Proofpoint found that UNK_MassTraction used phishing emails containing malicious content designed to exploit CVE-2024-42009, a cross-site scripting (XSS) vulnerability in Roundcube.

When executed in a vulnerable webmail client, the exploit allowed JavaScript to run in the victim’s browser.

The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data. The malware also gathered information about victims’ environment and used the stolen session data to continue the compromise.

The firm observed the attackers using a range of techniques during the infection chain, including:

  • Credential theft through malicious JavaScript payloads

  • Server-side exploitation of vulnerable Roundcube components

  • Deployment of webshells for remote access

  • Memory-based execution of the VShell backdoor

Attackers Deploy VShell For Follow-On Access

After gaining access to Roundcube servers, UNK_MassTraction exploited CVE-2025-49113, a deserialization vulnerability, to deploy a webshell or install the VShell backdoor in memory.

Proofpoint said VShell, a publicly available Go-based remote access tool, has previously been used by China-aligned operators across Windows, Linux and macOS environments. The malware provides interactive shell access and port-forwarding capabilities that can help attackers move deeper into compromised networks.

The firm assessed that UNK_MassTraction was likely conducting espionage-focused operations based on its targeting, infrastructure links and the presence of Chinese language artifacts in some phishing emails.

“The campaign is a reminder that email delivery can facilitate compromise of mail servers, and that Chinese operators will continue to treat them like any other edge device,” Proofpoint warned.

“Defenders should prioritize defending the mail servers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticlePhantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware
Next Article Microsoft Accelerates Post-Quantum Cryptography Shift to 2029
Team-CWD
  • Website

Related Posts

News

Phishing Attacks Targeted Facebook Users With Fake Verification Offer

July 7, 2026
News

Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

July 7, 2026
News

Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

July 7, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

How to help older family members avoid scams

October 31, 2025

Drowning in spam or scam emails lately? Here’s why

January 27, 2026

Can password managers get hacked? Here’s what to know

November 14, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.