A suspected China-aligned crew has been quietly rifling through university mailboxes in the US and Canada since May. All it takes is a scientist opening one email.

A suspected Chinese espionage group has been breaking into university mail servers across the United States and Canada. It has stolen credentials from staff in physics, engineering, and national security research.

Security firm Proofpoint disclosed the campaign this week, tracking the crew as UNK_MassTraction and dating it to at least May. The Register reported further detail.

Proofpoint has directly observed fewer than ten affected universities. It estimates the true figure is a few dozen. The most recent sighting was in early June, and the activity is likely still going.

The way in is a flaw in Roundcube, a widely used webmail platform. The attackers exploit a cross-site scripting bug, CVE-2024-42009, that runs the moment a target opens a rigged message. No click, no attachment, no password needed.

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The lures are deliberately dull. The crew sends phishing emails from compromised legitimate accounts and spoofable domains, dressing them up as marketing or spam. Once a target opens one in a vulnerable Roundcube inbox, a hidden script goes to work.

That script, which Proofpoint calls IceCube, harvests usernames, passwords, session tokens, and cookies straight from the mailbox. It also runs quiet reconnaissance, noting the victim’s language, screen size, and the fields on their login form.

The script bundles that data and sends it back to the attackers over the web. The crew then chains a second Roundcube flaw, CVE-2025-49113. That lets it plant a web shell and a Go-based backdoor called VShell, a tool that several Chinese hacking groups favour.

Proofpoint says the mailserver is really a stepping stone. From there, the operators can pivot deeper into the university network .

Proofpoint stops short of naming a specific state, but the signals lean toward China. “The targeting is consistent with Chinese state intelligence priorities,” principal threat research engineer Greg Lesnewich told The Register, pointing to the focus on astrophysics, particle physics, and research with defence ties.

The infrastructure adds weight. The servers behind the campaign sit in a covert network that serves multiple China-aligned actors. In June, the crew added a fallback loader that the same groups share. Proofpoint rates the operator as China-aligned with moderate operational security.

Universities are soft, valuable targets. They hold cutting-edge research, court international collaboration, and rarely run security as tight as a defence contractor. That mix has made academic networks a recurring prize for state-backed spies .

The campaign is a reminder that espionage now often starts in an inbox, not a break-in. Proofpoint says it has scanned for victims and alerted them alongside government and industry partners. For the researchers whose work the crew exposed , the fix is blunt: patch Roundcube, and treat every unread email as a possible door.

With expertise in digital marketing, product management, and branding & identity, Ana Maria Constantin develops strategies that resonate (show all) With expertise in digital marketing, product management, and branding & identity, Ana Maria Constantin develops strategies that resonate with our target audience in the software/SaaS industry. Collaboration and teamwork are paramount to her, as she loves empowering her colleagues to achieve outstanding results and unlock their full potential.