China-Aligned Group Exploits Roundcube Vulnerabilities to Target Universities
A China-aligned espionage group has compromised U.S. and Canadian universities by chaining two Roundcube vulnerabilities to steal credentials and establish persistent access.

A sophisticated espionage campaign, attributed to a China-aligned threat actor, has successfully infiltrated the networks of several U.S. and Canadian universities, with a particular focus on physics and engineering departments. The attackers aimed to steal sensitive data and establish long-term access through the deployment of webshells and backdoors. Proofpoint threat researchers, who identified the campaign in May and believe it is ongoing, estimate that fewer than ten universities have been confirmed as victims, though potentially a few dozen more could be impacted.
The campaign, tracked by Proofpoint as UNK_MassTraction, leveraged a chain of two critical vulnerabilities within the widely used open-source email client, Roundcube. The initial exploit, CVE-2024-42009, allowed attackers to execute JavaScript within a victim's browser, often triggered by the simple act of opening a specially crafted email. This was then chained with CVE-2025-49113, which provided the attackers with a foothold directly on the mail server, enabling credential theft and subsequent persistence mechanisms.
Researchers noted that the attackers employed generic lures in their phishing emails to initiate the exploit chain. The targeting of specific academic departments, such as those researching astrophysics and particle physics, suggests a motive aligned with national security interests or China's strategic technological initiatives. However, Proofpoint has not yet determined the exact nature of the data stolen, as their observation window typically closes after the initial access is established.
The attribution to a China-aligned group is based on several key indicators. The attackers utilized a known covert network infrastructure that has been previously associated with multiple China-aligned threat groups. Furthermore, the presence of Chinese language artifacts within the phishing emails and the deployment of VShell for persistence provided strong evidence for this link.
This campaign represents a notable shift in tactics for some state-sponsored actors. Unlike previous campaigns that often targeted edge devices like routers and VPNs for initial network entry, this operation pivoted to exploit vulnerabilities in email servers. This approach bypasses traditional end-user focused phishing attacks, directly compromising the infrastructure that handles sensitive communications.
While the full scope of the compromise remains under investigation, the ongoing nature of the campaign and the potential for widespread impact among academic institutions highlight the persistent threat posed by nation-state actors. The use of chained exploits against widely deployed software like Roundcube underscores the importance of timely patching and robust security monitoring for critical infrastructure.
Proofpoint's findings serve as a critical alert for academic institutions, particularly those involved in sensitive research areas. The discovery emphasizes the need for enhanced vigilance against sophisticated phishing attempts and the prompt remediation of known vulnerabilities in email systems and other edge devices.
This new report details the specific vulnerabilities exploited, including CVE-2024-42009, a critical flaw with a CVSS score of 9.3, which allowed the attackers to steal credentials. The campaign specifically targeted physics and engineering departments within U.S. and Canadian universities, and the article notes that these vulnerabilities have since been patched.
This latest report details the specific technical mechanisms employed by the likely China-aligned espionage group, UNK_MassTraction. The campaign chains Roundcube vulnerabilities CVE-2024-42009 (XSS) and CVE-2025-49113 (deserialization) to deploy a JavaScript credential stealer named IceCube and subsequently a PHP webshell (SquareShell) or a Go-based backdoor (VShell). The malware's use of AI-generated code comments and fallback ELF loader Snowlight are also highlighted as new details.