{"id":286721,"date":"2026-07-07T05:10:00","date_gmt":"2026-07-07T09:10:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/07\/suspected-china-aligned-hackers-exploit-roundcube-flaws-against-universities\/"},"modified":"2026-07-07T07:55:07","modified_gmt":"2026-07-07T11:55:07","slug":"suspected-china-aligned-hackers-exploit-roundcube-flaws-against-universities","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/07\/suspected-china-aligned-hackers-exploit-roundcube-flaws-against-universities\/","title":{"rendered":"Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/suspected-china-aligned-hackers-exploit.html\">Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/suspected-china-aligned-hackers-exploit.html\">https:\/\/thehackernews.com\/2026\/07\/suspected-china-aligned-hackers-exploit.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-07 05:10:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign.<\/p>\n<p>The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials, followed by either the deployment of a web shell for persistent access or a known post-exploitation tool called VShell.<\/p>\n<p>The emerging threat cluster is being tracked by Proofpoint under the moniker <strong>UNK_MassTraction<\/strong>. It was first detected in May 2026, specifically focusing on administrators and professors in departments with either national security ties or entities studying astrophysics and particle physics.<\/p>\n<p>&#8220;The emails targeting university departments used both compromised senders, as well as abused domains vulnerable to spoofing due to lax DMARC policy to send the emails,&#8221; the enterprise security company wrote in a technical report shared with The Hacker News, adding the use of generic lures indicates a &#8220;larger targeting swath&#8221; beyond its visibility.<\/p>\n<p>While the nature of the cross-site scripting (XSS) exploit is such that it only requires the recipient to open the email in the Roundcube client in order to obtain access to the mail server, it&#8217;s assessed that the targeted departments were singled out because they were all running versions of Roundcube susceptible to N-day security flaws.<\/p>\n<p>This indicates that the threat actor likely carried out preparatory reconnaissance into these targets to gather information about their environments prior to sending phishing emails that trigger an exploit for CVE-2024-42009 and execute arbitrary JavaScript code in the context of the victim&#8217;s web browser.<\/p>\n<p>&#8220;The actor is likely abusing Roundcube servers as a pivot point to enter target networks, and the operators have deliberately crafted their infection chain to avoid detection,&#8221;&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/suspected-china-aligned-hackers-exploit.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities https:\/\/thehackernews.com\/2026\/07\/suspected-china-aligned-hackers-exploit.html Publish Date: 2026-07-07 05:10:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":286722,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEitErUXjxgvdr7CLGa67wtfentIJSFkobxbyIMtQNK4mzNTyf_3Mq9mckQNCGONMFqVaCvkvNKf7FqJfevWKstiWEOxt5wDlV_Fus-Ob3bo9vkMb3m5natJZjHhG-0r4FbH5UUBP4aiGtLcJ7mFIIwLw7IPIHOqw5ln1kAC_ZsiOvllGmVXws4bCXBGugBu\/s1600\/server-hacker.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,35,25,34],"class_list":["post-286721","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-hacker","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/286721"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=286721"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/286721\/revisions"}],"predecessor-version":[{"id":286723,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/286721\/revisions\/286723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/286722"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=286721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=286721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=286721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}