{"id":287443,"date":"2026-07-08T17:35:00","date_gmt":"2026-07-08T21:35:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/"},"modified":"2026-07-09T02:00:12","modified_gmt":"2026-07-09T06:00:12","slug":"suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/","title":{"rendered":"Suspected Chinese snoops caught breaking into universities&#8217; Roundcube mailservers"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/security\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/5268778\">Suspected Chinese snoops caught breaking into universities&#8217; Roundcube mailservers<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/security\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/5268778\">https:\/\/www.theregister.com\/security\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/5268778<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-08 17:35:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p class=\"kicker \" style=\"\">Security<\/p>\n<p class=\"subtitle \" style=\"\">Proofpoint researcher tells The Reg: &#8216;We estimate the total volume of targets would be a few dozen&#8217;<\/p>\n<p>Suspected Chinese spies have been breaking into major US and Canadian universities since May, exploiting vulns in Roundcube mailservers to steal data belonging to physics and engineering administrators and professors, according to Proofpoint threat researchers.<\/p>\n<p>Proofpoint directly observed \u201cless than 10\u201d universities targeted in these intrusions, Greg Lesnewich, principal threat research engineer at Proofpoint, told <span class=\"italic m-italic \" data-lab-italic=\"italic\">The Register<\/span>. \u201cWe estimate the total volume of targets would be a few dozen universities, but stress that this is at best a guess, not substantiated by our data.\u201d<\/p>\n<p>While the most recent sighting occurred in early June, \u201cwe believe it is likely that the campaign is ongoing,\u201d Lesnewich said.<\/p>\n<p>The email security shop tracks the crew as UNK_MassTraction, and says that it focuses on individuals in departments with national security ties or in astrophysics and particle physics &#8211; all topics that support Beijing\u2019s intelligence-gathering goals and, as such, are frequently targeted by government-backed cyber goons.<\/p>\n<p>To gain initial access, the intruders exploit CVE-2024-42009, a cross-site scripting vulnerability in Roundcube that only requires that the email is opened in the mail client to achieve access to the server.<\/p>\n<p>\u201cThe targeted departments were likely specifically chosen because they were all running [vulnerable] versions of Roundcube \u2026 indicating that UNK_MassTraction had conducted reconnaissance into the targets prior to conducting the campaign,\u201d the threat hunters wrote in a Tuesday blog.\u00a0<\/p>\n<p>While the espionage activity is similar to an earlier campaign disclosed by Trellix that used a filename parsing vulnerability to deliver VShell malware, a Go-based backdoor used primarily by Chinese APT groups for remote access, file operations, and post-exploitation&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/security\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/5268778\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Suspected Chinese snoops caught breaking into universities&#8217; Roundcube mailservers https:\/\/www.theregister.com\/security\/2026\/07\/08\/suspected-chinese-snoops-caught-breaking-into-universities-roundcube-mailservers\/5268778 Publish Date: 2026-07-08 17:35:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":287444,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/image.theregister.com\/5223542.jpg?imageId=5223542&x=0&y=17.91&cropw=100&croph=64.18&panox=0&panoy=17.91&panow=100&panoh=64.18&width=1200&height=683","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,32,27],"class_list":["post-287443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287443"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=287443"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287443\/revisions"}],"predecessor-version":[{"id":287445,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287443\/revisions\/287445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/287444"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=287443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=287443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=287443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}