惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Stack Overflow Blog
Stack Overflow Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Hacker News: Front Page
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Attack and Defense Labs
Attack and Defense Labs
H
Heimdal Security Blog
S
Securelist
S
Secure Thoughts
N
News and Events Feed by Topic
T
The Exploit Database - CXSecurity.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Last Week in AI
Last Week in AI
The Last Watchdog
The Last Watchdog
N
News | PayPal Newsroom
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
IT之家
IT之家
宝玉的分享
宝玉的分享
有赞技术团队
有赞技术团队
O
OpenAI News
V
Vulnerabilities – Threatpost
S
Schneier on Security
Cyberwarzone
Cyberwarzone
雷峰网
雷峰网
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
J
Java Code Geeks
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
美团技术团队
人人都是产品经理
人人都是产品经理
T
The Blog of Author Tim Ferriss
T
Tor Project blog
P
Privacy International News Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
S
Security @ Cisco Blogs
Project Zero
Project Zero
Security Archives - TechRepublic
Security Archives - TechRepublic
Schneier on Security
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
aimingoo的专栏
aimingoo的专栏
L
LINUX DO - 热门话题
V
V2EX
Blog — PlanetScale
Blog — PlanetScale
www.infosecurity-magazine.com
www.infosecurity-magazine.com
U
Unit 42

Proofpoint News Feed

The Hacker News Hackers find a new trick to collect Microsoft Entra user data without raising red flags New Cargo Theft Surge: From Lobster Heists To Bourbon Warehouse Scams Defending the Authentication Flow: Device Code Phishing with Selena Larson Proofpoint Joins the OpenAI Daybreak Cyber Partner Program to Advance Responsible AI-Powered Cyber Defense | Proofpoint US OpenAI Lets Cyber Vendors Embed GPT-5.5 in Defenses Suspected North Korean actors use fake ‘coding assignments’ to steal crypto China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa Proofpoint Introduces Active Exploits Protection to Help Organizations Prioritize Vulnerability Patching for Real-World Attacks in the AI Era | Proofpoint US Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks Proofpoint Integrates with the Claude Compliance API to Extend Data Security and Governance to Claude | Proofpoint US Proofpoint Launches Dedicated MSP Business Unit and Introduces 365 Total Protection for North America | Proofpoint US The spy who logged me in. - YouTube Proofpoint Establishes Innovation Precedent for Source-Agnostic Modern Enterprise Investigations | Proofpoint US The Most Powerful Women Of The Channel 2026: Power 100 AI Security Gaps Create New MSSP Opportunity: Proofpoint Claude Mythos Fears Startle Japan's Financial Services Sector Proofpoint Research Reveals Half of Global Organizations Experienced AI Incidents Despite Having AI Security Controls in Place | Proofpoint US AI-Era Threats Spread Beyond Email Into SaaS, Collaboration Apps, and AI Assistants Clear market trend for software providers to help with AI: Proofpoint CEO - YouTube Cargo thieving hackers running sophisticated remote access campaigns, researchers find Freight Hacker Wields Code-Signing Service to Evade Defenses - YouTube FIFA World Cup 2026: More than One-Third of Official Partners Expose the Public to the Risk of Email Fraud | Proofpoint US Microsoft 365 mailbox rules abused for exfiltration, persistence AI Security Risks: Proofpoint CSO Ryan Kalember, Live at RSAC 2026 Axios Future of Cybersecurity: Russians suspected of using iPhone spyware 15 Top Cybersecurity CEOs On The Future Of AI Agents: RSAC 2026 How AI Agents Are Redefining the Insider Risk Threat Model 5 Ways To Protect Enterprise Value During A Merger Or Acquisition CUBE Events 20 Coolest AI And Security Products At RSAC 2026 Proofpoint Redefines Email and Data Security for the Agentic Workspace | Proofpoint US Proofpoint Pursues FedRAMP High Authorization Process for Collaboration Security | Proofpoint US Proofpoint Unveils Industry’s Newest Intent-Based AI Security Solution to Protect Enterprise AI Agents | Proofpoint US
Suspected Chinese snoops caught breaking into universities
Jessica Lyons · 2026-07-08 · via Proofpoint News Feed

Security

Proofpoint researcher tells The Reg: 'We estimate the total volume of targets would be a few dozen'

Suspected Chinese spies have been breaking into major US and Canadian universities since May, exploiting vulns in Roundcube mailservers to steal data belonging to physics and engineering administrators and professors, according to Proofpoint threat researchers.

Proofpoint directly observed “less than 10” universities targeted in these intrusions, Greg Lesnewich, principal threat research engineer at Proofpoint, told The Register. “We estimate the total volume of targets would be a few dozen universities, but stress that this is at best a guess, not substantiated by our data.”

While the most recent sighting occurred in early June, “we believe it is likely that the campaign is ongoing,” Lesnewich said.

The email security shop tracks the crew as UNK_MassTraction, and says that it focuses on individuals in departments with national security ties or in astrophysics and particle physics - all topics that support Beijing’s intelligence-gathering goals and, as such, are frequently targeted by government-backed cyber goons.

To gain initial access, the intruders exploit CVE-2024-42009, a cross-site scripting vulnerability in Roundcube that only requires that the email is opened in the mail client to achieve access to the server.

“The targeted departments were likely specifically chosen because they were all running [vulnerable] versions of Roundcube … indicating that UNK_MassTraction had conducted reconnaissance into the targets prior to conducting the campaign,” the threat hunters wrote in a Tuesday blog. 

While the espionage activity is similar to an earlier campaign disclosed by Trellix that used a filename parsing vulnerability to deliver VShell malware, a Go-based backdoor used primarily by Chinese APT groups for remote access, file operations, and post-exploitation control, Proofpoint says it cannot definitely link this earlier activity to UNK_MassTraction.

It all starts with a generic phishing email

The UNK_MassTraction attack chain begins with a phishing email sent to university departments from both compromised legitimate senders and abused domains vulnerable to spoofing. 

According to the threat hunters, the lures are generic, sometimes purporting to be a university marketing message, and this could imply “a larger targeting swath” than Proofpoint observed. It could also indicate “an attempt to resemble marketing or spam content because targets may open the email but ultimately overlook it (and not investigate it), which is still sufficient for the actor to gain access,” they wrote.

Opening the email triggers CVE-2024-42009. The bug abuses a desanitization issue, and can allow remote attackers to steal and send messages. 

Once the user opens the email in the webmail client of a vulnerable Roundcube instance, a JavaScript loader stored in the message body executes, and allows the attacker to remotely deliver a fully functioning stealer called IceCube.

IceCube first escapes Roundcube's iFrame instantiation via DOM traversal, which gives the stealer access to the entire Document Object Model (DOM) in the browser and Roundcube authentication session.

Then it sets to work stealing usernames, passwords, session tokens, and cookies, and it also conducts reconnaissance against the browser, collecting info on the language in use, screen size, and form field values. 

The stealer sends this initial data to the attacker’s command-and-control servers via HTTP POST, and then uses the session’s CSRF token to set up gadgets to exploit another Roundcube vulnerability. This one, a deserialization exploit tracked as CVE-2025-49113, allows the miscreants to install a webshell called SquareShell that allows for remote code execution, as well as a VShell implant.

Proofpoint notes that its researchers scanned for SquareShell on compromised servers, and coordinated with government and industry partners to notify the identified victims.

As of June, the threat hunters also observed the attackers introducing a fallback channel in case the original webshell deployment didn’t work. Previously, if the webshell didn’t execute, the attack chain would fail.

More links to PRC-backed spies

The fallback channel executes a shell script that sets up the execution of another loader that Google tracks as SnowLight. “The shell script has been used in other exploit-driven intrusions by Chinese adversaries, likely indicating a privately shared capability,” Proofpoint notes.

Proofpoint’s security sleuths say that they have identified “several cases” of virtual private server IP addresses within the headers of the phishing emails that belong to a “covert infrastructure network likely used by multiple China-aligned threat actors.”

The access to this network, along with the low-volume targeting of US and Canadian universities, VShell usage, and Chinese-language artifacts within the phishing emails, “leads us to assess that UNK_MassTraction is likely a China-aligned espionage motivated threat actor that has demonstrated moderate operational security awareness,” the team wrote.®