China-linked hackers hit university email servers to spy on physics and defence researchers

A group tracked as UNK_MassTraction is exploiting two Roundcube flaws at U.S. and Canadian universities to steal logins and plant backdoors, Proofpoint says.

ThreatVectr Newsdesk· 4 min read
Photoreal news-editorial image, 16:9, full frame edge to edge
Share

Key points

  • Researchers at Proofpoint have tracked a campaign since May 2024 that targets Roundcube webmail servers at U.S. and Canadian universities.
  • The hackers focus on physics and engineering staff, and on people working in astrophysics, particle physics, or national security research.
  • The attack chains two Roundcube flaws, CVE-2024-42009 and CVE-2025-49113, to steal credentials and install backdoors.
  • Proofpoint assesses with low confidence that the group, which it calls UNK_MassTraction, is aligned with China.
  • Administrators are urged to apply the latest Roundcube patches and treat mail servers as sensitive remote-access systems.

A hacking group that appears to be working on behalf of China is quietly breaking into university email servers to spy on researchers in physics, engineering and defence-related science.

The activity was first reported by BleepingComputer, drawing on new findings from the cybersecurity company Proofpoint. Proofpoint calls the group UNK_MassTraction and has been watching the campaign since May.

The targets are specific. Physics and engineering departments. Professors, administrators and labs working on astrophysics, particle physics, or research tied to national security. The universities sit mostly in the United States and Canada.

How did the hackers get in?

They sent booby-trapped emails to accounts running Roundcube, a popular free webmail program that universities often use to let staff read email in a browser.

The emails came from accounts the attackers had already broken into, or from lookalike domains designed to appear legitimate. The lure inside was generic, nothing flashy.

The trick is that the victim did not need to click anything unusual. Simply opening the email in a vulnerable Roundcube inbox was enough to set off the attack.

That is because the email exploited CVE-2024-42009, a cross-site scripting flaw in Roundcube. In plain terms, the bug lets an attacker sneak hidden code into an email so that the victim's own browser runs it when the message is viewed.

Once that hidden code ran, it pulled down a tool Proofpoint has named IceCube.

What does the malware actually steal?

IceCube is built specifically to loot Roundcube accounts. Proofpoint describes it as a fully-featured Roundcube stealer.

It grabs usernames, passwords, session cookies (the small files that keep you logged in), two-factor authentication codes, and information about the victim's browser. Two-factor authentication, or 2FA, is the extra code many services ask for on top of a password.

IceCube then tries to go further. It uses helper components to attack a second Roundcube bug, CVE-2025-49113, a deserialisation flaw that can let an attacker run their own commands on the mail server itself.

If that works, the attackers install a hidden control panel called SquareShell, a PHP webshell that gives them remote command access to the server.

If it does not work, the malware falls back to a shell script that loads a second backdoor, VShell, straight into the server's memory. VShell is a ready-made tool written in Go that gives an attacker an interactive command line and the ability to tunnel traffic through the compromised machine. It has been used repeatedly by Chinese hacking crews.

Why does Proofpoint suspect China?

Three threads point that way. The servers used to run the attacks overlap with a private hosting network previously tied to several China-linked groups. Earlier phishing waves from the same infrastructure contained Chinese-language artefacts. And the broad tactic, hijacking internet-facing mail servers to burrow into internal networks, is common in Chinese espionage.

Proofpoint is careful to stress this is an assessment, not a confident attribution.

One detail suggests real homework was done. The attackers appear to have picked servers already known to be vulnerable to the two Roundcube flaws, meaning they scanned targets before firing.

What should universities and staff do?

Administrators running Roundcube should install the latest security updates that fix both bugs. Proofpoint's advice is blunt: treat mail servers with the same care as VPNs and other remote-access systems, because that is exactly how attackers are using them.

Staff at affected institutions should reset passwords, revoke active sessions, and check whether their 2FA settings have been tampered with.

© 2026 Threat Vectr