Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities

A China-aligned espionage group has been observed targeting U.S. and Canadian universities, specifically in physics and engineering departments. The attackers exploited two vulnerabilities in the Roundcube email client (CVE-2024-42009 and CVE-2025-49113) to steal credentials and establish persistent access through webshells and backdoors. Proofpoint researchers identified the campaign, which appears to be ongoing, and noted that victims may not yet be aware of the compromise.





