Suspected Chinese Hackers Target University Webmail in Credential-Stealing Campaign

A hacking group tied to China is breaking into Roundcube webmail systems at physics and engineering faculties across US and Canadian universities to steal login details.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a dimly lit university physics laboratory at night, glowing computer monitors showing generic webmail interface reflecti
Share

Key points

  • A suspected China-aligned hacking group is targeting Roundcube webmail servers at US and Canadian universities, according to research first reported by The Hacker News.
  • The attackers focused on physics and engineering departments, faculties that often handle sensitive research.
  • The break-ins abuse CVE-2024-42009, a critical flaw in Roundcube rated 9.3 out of 10 for severity.
  • The goal appears to be stealing staff and student email passwords.
  • The Roundcube flaw has been patched, but only universities that applied the update are safe.

A hacking group believed to be working on behalf of Chinese interests has been quietly breaking into university email systems in the United States and Canada.

The targets share a pattern. All of them run Roundcube, a free and widely used webmail program that lets people read their email through a browser. And all of them belong to physics or engineering faculties, the kinds of departments that handle research with commercial or defence value.

The campaign was flagged in reporting by The Hacker News.

How did the hackers get in?

They used a known bug in Roundcube that university IT teams had not yet fixed. The flaw is tracked as CVE-2024-42009 and carries a severity score of 9.3 out of 10, which puts it in the critical band.

In plain terms, the bug lets an attacker slip hidden code into an email. When a victim opens the message in Roundcube, that code runs inside their browser session. From there, the attackers can quietly lift the victim's login details and read their inbox.

This kind of attack is called cross-site scripting, meaning the attacker tricks a trusted website into running the attacker's instructions on a visitor's computer. The victim does nothing wrong. They just open an email.

Who is behind it?

Investigators have not publicly named the group, but the behaviour matches a cluster of activity long linked to Chinese state interests. That is a careful phrase. It means the tools, targets and timing fit a known pattern, without a formal government attribution.

The choice of victims is telling. Physics and engineering faculties at large research universities often work on projects tied to aerospace, energy, materials science and defence contracts. Their inboxes hold drafts of research papers, grant applications, and correspondence with industry and government partners.

Stealing a professor's password is a cheap way into that world.

What happens to the stolen credentials?

Once the attackers have a working username and password, they can log into the victim's mailbox directly. They can read messages, set up hidden forwarding rules, and use the account to send convincing emails to colleagues at other institutions.

That last part is how a small break-in becomes a big one. A phishing email, meaning a fake message designed to trick the reader, is far more effective when it comes from a real address the recipient already trusts.

What should staff and students do?

If your university runs Roundcube, ask your IT team whether it has been updated. The fix for this flaw has been available for months.

Change your webmail password if you have not done so recently, and turn on multi-factor authentication, meaning a second check such as a code from your phone, wherever it is offered. Watch for unexpected password reset emails, and for messages in your Sent folder you do not remember writing.

Roundcube's maintainers have released patched versions that close the hole. The attackers are counting on the gap between a fix being available and a fix being installed. On many campuses, that gap is still open.

© 2026 Threat Vectr