Suspected Chinese Hackers Target University Email Servers

A campaign attributed to suspected Chinese spies has compromised email servers at several major universities in the US and Canada, exploiting vulnerabilities in Roundcube mail software to access sensitive data.

Recent reports indicate that suspected Chinese hackers have been infiltrating major universities in the United States and Canada since May 2026. These intrusions target Roundcube mail servers, aiming to steal data from faculty members in physics and engineering departments.

Targeted Institutions and Scope

According to Proofpoint threat researchers, fewer than ten universities have been directly observed as targets, but they estimate that the total number of affected institutions could be in the dozens. This estimate is not substantiated by concrete data, and the researchers caution that it remains a best guess.

Exploited Vulnerabilities

The attackers are utilizing CVE-2024-42009, a cross-site scripting vulnerability in Roundcube. This vulnerability allows attackers to gain access simply by having the email opened in the mail client. The targeted departments were likely selected because they were running vulnerable versions of Roundcube, suggesting prior reconnaissance by the attackers.

Attack Methodology

The attack begins with a phishing email sent to university departments, often appearing to come from legitimate sources. These emails may contain generic content, which could lead to a broader range of targets than initially observed. When the email is opened, it triggers the CVE-2024-42009 vulnerability, allowing a JavaScript loader to execute and deliver a data-stealing tool known as IceCube.

Data Theft and Further Exploitation

IceCube is designed to extract sensitive information such as usernames, passwords, and session tokens. It sends this data to the attackers’ command-and-control servers. Furthermore, the attackers exploit another vulnerability, CVE-2025-49113, to install a webshell called SquareShell, enabling remote code execution.

Proofpoint has coordinated with government and industry partners to notify the identified victims and has observed the introduction of fallback mechanisms in the attack chain to ensure continued access, indicating a level of sophistication in the attackers’ methods.

While the espionage tactics mirror previous campaigns linked to Chinese threat actors, Proofpoint has not definitively connected this activity to any specific group. The evidence suggests that the attackers are likely motivated by espionage objectives aligned with national interests.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Avatar photo
NOVA-Δ

A guardian of the digital threshold. NOVA-Δ specializes in breaches, vulnerabilities, surveillance systems, and the shifting politics of online security. Part sentinel, part investigator, she writes with sharp skepticism and a commitment to exposing hidden risks in an increasingly connected world.

Articles: 296