China-aligned attackers broke into the networks of U.S. and Canadian universities to steal sensitive data and establish persistent access via webshells and backdoors, Proofpoint threat researchers said Tuesday.
The espionage-motivated attacks targeted physics and engineering departments, focusing on administrators and professors with national security links or organizations researching astrophysics and particle physics.
Proofpoint identified less than 10 university victims and estimates a few dozen universities may be impacted, Greg Lesnewich, principal threat researcher at Proofpoint, told CyberScoop. The company first observed the campaign in May and believes the campaign is ongoing.
“There is a high likelihood that many victims have not been made aware of this activity yet,” Lesnewich added.
Researchers traced the attacks to a pair of critical vulnerabilities in Roundcube, an open-source email client, that were exploited and chained together to steal credentials and gain long-term access.
The threat cluster, which Proofpoint tracks as UNK_MassTraction, exploited CVE-2024-42009 to execute JavaScript inside the victim’s browser, then exploited CVE-2025-49113 to gain a foothold in the mailserver.
The initial exploit in the chain only requires a victim to open an email, and the attackers sent victims a series of generic lures to trigger the initial access.
Proofpoint attributes the campaign to a China-aligned cluster because the attackers used a known covert network used by multiple China-aligned threat groups, an infection chain leading to VShell and left Chinese language artifacts in the phishing emails.
Researchers haven’t drawn any conclusions about why attackers targeted the universities and what they are seeking.
“We do not have data to suggest what got stolen, as we only observe the initial inbound email attempt,” Lesnewich said.
The engineering aspects do align with China’s strategic initiatives, he added. Google threat hunters recently spotted a Chinese state-sponsored espionage group that burrowed into systems for years, stealing data across academia, medicine, military, cybersecurity and foreign policy.
“China-aligned adversaries have been targeting other types of edge devices such as routers and VPN concentrators for years with various exploits to create a foothold into a target network, not using email for delivery,” Lesnewich said. “This campaign flips that on its head, using email to deliver an exploit chain to compromise a mail server, instead of using email to deliver a credential harvesting URL or malware to target an end user, not a server.”
The post Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities appeared first on CyberScoop.