
China-Aligned Cluster Exploits Dual Roundcube CVEs at U.S. and Canadian Universities
China-aligned actors used patched Roundcube flaws to steal credentials and establish persistence at targeted university departments. The operation reveals a deliberate focus on academic mail infrastructure as an entry point for IP collection. Shared tooling with known clusters indicates broader coordination among China-nexus operators.
Proofpoint observed the cluster sending phishing messages that triggered an XSS flaw (CVE-2024-42009, CVSS 9.3) simply by opening the email in vulnerable Roundcube instances. The IceCube payload harvested browser credentials, 2FA tokens, and cookies before chaining into an authenticated RCE (CVE-2025-49113, CVSS 9.9) to deploy SquareShell or VShell. Reconnaissance of department websites and DMARC gaps preceded the campaign, indicating targeted preparation rather than spray-and-pray activity.
The same SNOWLIGHT ELF loader and VShell binaries have appeared in UNC5174 operations, yet Proofpoint finds no direct infrastructure overlap, suggesting private sharing of post-exploitation tooling among multiple China-nexus groups. University mail servers function as both credential sources and low-noise pivots into research networks holding sensitive astrophysics and engineering data.
This pattern matches prior education-sector campaigns that prioritize academic IP and supply-chain footholds over immediate monetization. Weak DMARC policies and unpatched open-source mail platforms remain consistent enablers across incidents.
Expect continued reuse of the dual-CVE chain against other unpatched Roundcube deployments in research institutions through at least the end of 2026.
SENTINEL: At least four additional universities will report Roundcube compromises by the same cluster before October 2026.
Sources (3)
- [1]Proofpoint UNK_MassTraction Report(https://www.proofpoint.com/us/threat-insight/post/unkmasstraction-roundcube)
- [2]The Hacker News(https://thehackernews.com/2026/07/suspected-china-aligned-hackers-exploit.html)
- [3]Mandiant UNC5174 Profile(https://www.mandiant.com/resources/blog/unc5174-china-nexus)