Suspected Chinese Spies Raid University Mail Servers
A suspected China-aligned crew has been quietly rifling through university mailboxes in the US and Canada since May. All it takes is a scientist opening one email.
July 9, 2026 – 1:51 pm
Image by: Proofpoint
A suspected Chinese espionage group has been breaking into university mail servers across the United States and Canada. It has stolen credentials from staff in physics, engineering, and national security research.
Security Firm Discloses Campaign
Security firm Proofpoint disclosed the campaign this week, tracking the crew as UNK_MassTraction and dating it to at least May. The Register reported further details.
Proofpoint has directly observed fewer than ten affected universities. It estimates the true figure is a few dozen. The most recent sighting was in early June, and the activity is likely still ongoing.
How They Get In
One email is enough. The way in is a flaw in Roundcube, a widely used webmail platform. The attackers exploit a cross-site scripting bug, CVE-2024-42009, that runs the moment a target opens a rigged message. No click, no attachment, no password needed.
What They Steal
That script, which Proofpoint calls IceCube, harvests usernames, passwords, session tokens, and cookies straight from the mailbox. It also runs quiet reconnaissance, noting the victim’s language, screen size, and the fields on their login form. The script bundles that data and sends it back to the attackers over the web.
The crew then chains a second Roundcube flaw, CVE-2025-49113. That lets it plant a web shell and a Go-based backdoor called VShell, a tool that several Chinese hacking groups favor.
Targeting and Infrastructure
Proofpoint stops short of naming a specific state, but the signals lean toward China. “The targeting is consistent with Chinese state intelligence priorities,” principal threat research engineer Greg Lesnewich told The Register, pointing to the focus on astrophysics, particle physics, and research with defence ties.
The infrastructure adds weight. The servers behind the campaign sit in a covert network that serves multiple China-aligned actors. In June, the crew added a fallback loader that the same groups share. Proofpoint rates the operator as China-aligned with moderate operational security.
Universities as Soft Targets
Universities are soft, valuable targets. They hold cutting-edge research, court international collaboration, and rarely run security as tight as a defence contractor. That mix has made academic networks a recurring prize for state-backed spies.
Why It Matters
The campaign is a reminder that espionage now often starts in an inbox, not a break-in. Proofpoint says it has scanned for victims and alerted them alongside government and industry partners. For the researchers whose work the crew exposed, the fix is blunt: patch Roundcube.