A China-linked group has successfully infiltrated several universities in the United States and Canada, targeting departments specializing in physics and engineering. According to Proofpoint threat researchers, the attackers aimed to steal sensitive data and maintain access through the use of webshells and backdoors. The attack specifically focused on administrators and professors with ties to national security or those involved in astrophysics and particle physics research. Proofpoint has identified fewer than ten university victims so far, but believes the actual number could be higher. The campaign was first observed in May and is considered to be ongoing.
The attackers exploited two critical vulnerabilities in Roundcube, an open-source email client, to achieve their objectives. These vulnerabilities, identified as CVE-2024-42009 and CVE-2025-49113, were used to execute JavaScript within the victim's browser and secure a foothold in the mailserver, respectively. The initial attack required only that the victim open an email, after which a series of generic lures were employed to trigger access.
Proofpoint attributes the campaign to a China-aligned group known as UNK_MassTraction. This attribution is based on the use of a covert network associated with multiple China-aligned threat groups, an infection chain leading to VShell, and Chinese language artifacts in phishing emails. While the exact data stolen remains unclear, the focus on engineering aligns with China's strategic initiatives. This attack represents a shift in tactics, using email to deliver an exploit chain targeting a mail server rather than the more traditional approach of targeting end users with credential harvesting URLs or malware.


