SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
China-aligned spies target university Roundcube servers

China-aligned spies target university Roundcube servers

Wed, 8th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Proofpoint has identified a suspected China-aligned espionage cluster targeting vulnerable Roundcube mail servers at universities in the US and Canada. The activity has focused on physics and engineering departments linked to sensitive research.

It has tracked the group, known as UNK_MassTraction, since May and found it exploiting a chain of known Roundcube vulnerabilities to gain access to university mail infrastructure. The intrusions targeted administrators and professors in departments connected to national security work, astrophysics and particle physics.

Rather than focusing only on stealing email, the attackers appear to be using compromised webmail servers as a route into wider university networks. This marks a shift from targeting end users directly to compromising the internet-facing systems that handle their communications.

The operation begins with emails sent from compromised accounts or from domains open to spoofing because of weak email authentication settings. The messages were generic in tone, suggesting the attackers only needed targets to open them in a vulnerable Roundcube webmail client for the exploit chain to begin.

Once opened, the email triggers malicious JavaScript through a cross-site scripting flaw in Roundcube. The code then retrieves a second-stage payload, dubbed IceCube by researchers, designed to escape the confines of the mail client view and interact with the full browser session.

IceCube collects usernames, passwords, cookies, two-factor authentication material and other information from the browser session. It also gathers reconnaissance data, including language settings, screen size and form field values, before sending it back to attacker-controlled infrastructure.

From there, the malware uses another Roundcube flaw to move from the browser to the server itself. The attackers then either deploy a webshell, called SquareShell, or load the VShell backdoor directly into memory for longer-term access.

SquareShell is installed at a route intended to blend in with legitimate Roundcube plugin files. It is also timestomped so its modification time matches that of a real plugin, making it less noticeable during incident response.

The attack chain also included measures to reduce the forensic trail on infected systems. These included deleting local browser storage, checking whether a machine had already been compromised, and introducing fallback routines when one stage of the attack failed.

The malware also uses what researchers described as deferred triggers. These react when a user closes the page, switches tabs, moves the mouse out of the browser window or clicks the logout button, allowing the attackers to try exploitation again and then force a logout that removes evidence from the server.

Proofpoint said parts of the toolkit were likely created with help from a large language model because of the extensive, structured comments embedded in the code. It described the tooling as mature and said it showed moderate operational security awareness.

Attribution clues

Proofpoint stopped short of tying the activity to a named state-backed group, but said several indicators pointed to a China-aligned espionage actor. These included Chinese-language artefacts in earlier emails, use of VShell malware previously seen in intrusions linked to Chinese operators, and infrastructure overlapping with a covert network likely used by several China-aligned groups.

The campaign also appears to have been selective. The targeted departments were likely chosen after prior reconnaissance because they were running Roundcube versions exposed to the relevant known vulnerabilities.

This suggests the attackers were not simply harvesting any available victim, but were combining technical scanning with an intelligence-led choice of targets. Universities have long been of interest in cyber espionage because they combine open networks with work on advanced science, defence-linked projects and international research partnerships.

Mail servers exposed

The findings add to broader concern in the security industry that mail servers, VPNs and other internet-facing systems are increasingly treated as edge devices that can provide an entry point into internal networks. In this case, the use of VShell is significant because the malware includes interactive shell access and port-forwarding functions that can help an intruder move deeper into a victim environment.

Proofpoint scanned relevant address space for signs of the SquareShell webshell on compromised servers and worked with government and industry partners to notify affected organisations. It said defenders should prioritise patching internet-facing mail servers quickly and monitor them for signs of post-compromise activity.

"The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection," said Proofpoint Threat Research.