
A suspected Chinese espionage group has been breaking into university mail servers across the United States and Canada. It has stolen credentials from staff in physics, engineering, and national security research.
Security firm Proofpoint disclosed the campaign this week, tracking the crew as UNK_MassTraction and dating it to at least May. The Register reported further detail.
Proofpoint has directly observed fewer than ten affected universities. It estimates the true figure is a few dozen. The most recent sighting was in early June, and the activity is likely still going.
One email is enough
The way in is a flaw in Roundcube, a widely used webmail platform. The attackers exploit a cross-site scripting bug, CVE-2024-42009, that runs the moment a target opens a rigged message. No click, no attachment, no password needed.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
The lures are deliberately dull. The crew sends phishing emails from compromised legitimate accounts and spoofable domains, dressing them up as marketing or spam. Once a target opens one in a vulnerable Roundcube inbox, a hidden script goes to work.
What it steals
That script, which Proofpoint calls IceCube, harvests usernames, passwords, session tokens, and cookies straight from the mailbox. It also runs quiet reconnaissance, noting the victim’s language, screen size, and the fields on their login form.
The script bundles that data and sends it back to the attackers over the web. The crew then chains a second Roundcube flaw, CVE-2025-49113. That lets it plant a web shell and a Go-based backdoor called VShell, a tool that several Chinese hacking groups favour.
Proofpoint says the mailserver is really a stepping stone. From there, the operators can pivot deeper into the university network.
Pointing at Beijing
Proofpoint stops short of naming a specific state, but the signals lean toward China. “The targeting is consistent with Chinese state intelligence priorities,” principal threat research engineer Greg Lesnewich told The Register, pointing to the focus on astrophysics, particle physics, and research with defence ties.
The infrastructure adds weight. The servers behind the campaign sit in a covert network that serves multiple China-aligned actors. In June, the crew added a fallback loader that the same groups share. Proofpoint rates the operator as China-aligned with moderate operational security.
Universities are soft, valuable targets. They hold cutting-edge research, court international collaboration, and rarely run security as tight as a defence contractor. That mix has made academic networks a recurring prize for state-backed spies.
Why it matters
The campaign is a reminder that espionage now often starts in an inbox, not a break-in. Proofpoint says it has scanned for victims and alerted them alongside government and industry partners. For the researchers whose work the crew exposed, the fix is blunt: patch Roundcube, and treat every unread email as a possible door.
View original source — The Next Web ↗


