Recent reports indicate that suspected Chinese hackers have been infiltrating major universities in the United States and Canada since May 2026. These intrusions target Roundcube mail servers, aiming to steal data from faculty members in physics and engineering departments.
Targeted Institutions and Scope
According to Proofpoint threat researchers, fewer than ten universities have been directly observed as targets, but they estimate that the total number of affected institutions could be in the dozens. This estimate is not substantiated by concrete data, and the researchers caution that it remains a best guess.
Exploited Vulnerabilities
The attackers are utilizing CVE-2024-42009, a cross-site scripting vulnerability in Roundcube. This vulnerability allows attackers to gain access simply by having the email opened in the mail client. The targeted departments were likely selected because they were running vulnerable versions of Roundcube, suggesting prior reconnaissance by the attackers.
Attack Methodology
The attack begins with a phishing email sent to university departments, often appearing to come from legitimate sources. These emails may contain generic content, which could lead to a broader range of targets than initially observed. When the email is opened, it triggers the CVE-2024-42009 vulnerability, allowing a JavaScript loader to execute and deliver a data-stealing tool known as IceCube.
Data Theft and Further Exploitation
IceCube is designed to extract sensitive information such as usernames, passwords, and session tokens. It sends this data to the attackers’ command-and-control servers. Furthermore, the attackers exploit another vulnerability, CVE-2025-49113, to install a webshell called SquareShell, enabling remote code execution.
Proofpoint has coordinated with government and industry partners to notify the identified victims and has observed the introduction of fallback mechanisms in the attack chain to ensure continued access, indicating a level of sophistication in the attackers’ methods.
While the espionage tactics mirror previous campaigns linked to Chinese threat actors, Proofpoint has not definitively connected this activity to any specific group. The evidence suggests that the attackers are likely motivated by espionage objectives aligned with national interests.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








