Hacking

China-Linked Hackers Target US Universities via Roundcube

Published  ·  6 min read

China-linked activity cluster suspected of carrying out attacks on the Roundcube webmail program of universities in the United States and Canada through the physics and engineering departments is now being investigated. 

The attacks were discovered in May 2026 and are targeted at the administrators and professors in departments with links to national security or astrophysics and particle physics.

The chain of exploitation takes advantage of critical vulnerabilities, which have been patched, in the open-source email platform. The aim of this exploit is to steal credentials, place web shells to get persistent access and use the post-exploit malware VShell.

The Vulnerabilities

The attacks exploit two different vulnerabilities in the Roundcube system.

The first one is a stored cross-site scripting vulnerability. In order for it to occur, an attacker needs to send an infected email message and then the recipient would open it while using Roundcube. After that, the malicious JavaScript would be executed without any other actions from the recipient’s side.

The second one is the post-authentication remote code execution vulnerability which is related to the PHP object deserialization problem. To exploit it, an attacker who is already authenticated can send a malicious PHP object to the victim.

The targeted departments might have been selected because of the fact that they had vulnerabilities in the Roundcube system. It means that prior to sending the phishing messages, the threat actor conducted reconnaissance.

JavaScript Payload

The payload that follows the exploitation of the first vulnerability is known as IceCube. The IceCube JavaScript stealer is developed in order to steal credential details from the browser, which include 2FA tokens and cookies.

IceCube also performs its own reconnaissance. IceCube gathers information on browser language, screen size, and form field values. All harvested data is sent to an external server via HTTP POST.

The malware also sets up deferred triggers. These triggers monitor if the user closes the page or changes tabs. They check if the mouse leaves the browser window. They hijack the logout button. If any of these actions occur, IceCube re-attempts the exploitation of the second vulnerability and beacons to the C2 server.

After completing its actions or running into a timeout, the JavaScript destroys user and malware-initiated sessions on the server. This causes the user to log out and erases forensic evidence from the Roundcube server.

Web Shell and Backdoor

The second vulnerability is exploited by IceCube through the use of the CSRF token from the session in order to establish itself in the mail server in order to upload either the web shell or VShell backdoor.

This particular backdoor is referred to as SquareShell and it is delivered through the use of the PHP gadget shell. It is accessible via a particular endpoint and allows for the execution of code remotely. In case of failure during the deployment of the web shell, the attack proceeds to a backup plan.

This involves executing of a shell script in the Roundcube vulnerability. This is done in order to load and execute the Snowlight ELF loader. Snowlight is compatible with the host's system architecture and has been used in other intrusions orchestrated by Chinese adversaries.

The use of both Snowlight and VShell has been linked to another China-linked cluster in the past. This suggests the shell script is possibly shared by multiple China-nexus clusters, similar to tools like ShadowPad.

The VShell Backdoor

VShell is a remote administration tool written in Go. It provides post-compromise capabilities similar to Cobalt Strike. It has been used by many China-related opponents in recent years. It helps attackers gain persistence and move laterally across the compromised networks, and run commands from there.

The Targeting

This attack is targeted against physics and engineering departments in U.S. and Canadian universities. The specific targeting implies that the threat actor wants something related to national security, astrophysics, and particle physics. 

The emails were sent using both compromised senders and domains which are vulnerable to spoofing because of weak DMARC policy enforcement.

The use of generic lures implies a wider targeting scope than has been seen before. This threat actor is probably using the Roundcube servers as a pivot for gaining access to the targeted network. The hackers behind the malicious activity designed their infection chain to go unnoticed.

A Change in Attribution

This campaign marks represents the first occasion when a China-based hacker collective was identified as having exploited the vulnerabilities of Roundcube. Such Roundcube vulnerabilities are typically exploited by Russian state-sponsored actors. 

This change shows that China-based hackers regard mail servers as edge devices.

The Bottom Line

The Roundcube university cyber espionage campaign shows that email servers can be the ideal targets for any state-sponsored actor because they can be compromised through malicious emails that will cause credential theft, installation of web shells, and even persistent backdoors.

Mail servers should be as secure as any other system, including virtual private network concentrators. Modern and patched software needs to be used here. It is vital to monitor mail servers for any suspicious activity. Also, any email needs to be considered malicious.

FAQ Section

What is the Roundcube university cyber espionage campaign?

The Roundcube university cyber espionage campaign is an operation conducted by a threat actor believed to be allied with China, and the campaign targets US and Canadian universities' physics and engineering departments by exploiting Roundcube vulnerabilities.

What vulnerabilities are used in the Roundcube university cyber espionage campaign?

CVE-2024-42009 (stored XSS vulnerability) and CVE-2025-49113 (post-authentication remote code execution) vulnerabilities are exploited in this campaign.

What is IceCube?

IceCube is a JavaScript-based malware that steals credentials, cookies, and two-factor authentication tokens from the victim's browser. It also conducts reconnaissance and sets up deferred triggers to re-attempt exploitation.

What is VShell?

VShell is a remote administration tool written in the Go programming language and is employed in post-exploitation scenarios. It performs functions similar to Cobalt Strike.

Whom are the attacks targeting?

Department of Physics and engineering departments in universities in the U.S. and Canada that have connections to national security and that are working in the areas of astrophysics and particle physics.

What is the advice for the affected organizations?

They should update their Roundcube installations to the latest version, perform strict monitoring of mail servers, and consider email as an attack vector. Protect mail servers as well as you would any other remote-access point.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067