Proofpoint researchers uncovered a quiet operation. Suspected Chinese spies have spent months slipping into university email systems across the United States and Canada. They don’t need fancy malware or zero-days in exotic software. All it takes is a researcher opening what looks like routine spam.
The campaign began at least in May 2026. It continues today. Attackers focused on physics departments, engineering faculty, and staff tied to national security projects. Some victims worked in astrophysics or particle physics. Others handled defense-related studies. The group, tracked by Proofpoint as UNK_MassTraction, hit fewer than ten schools that the firm directly observed. But the true number likely reaches a few dozen. (The Next Web)
Entry came through Roundcube. This open-source webmail platform runs on countless academic servers. Two flaws made the difference. First, CVE-2024-42009, a cross-site scripting bug with a CVSS score of 9.3. Opening a crafted message in a vulnerable inbox triggered it instantly. No clicks. No downloads. The second flaw, CVE-2025-49113, scored 9.9 and dated back a decade. It enabled post-authentication remote code execution. (The Hacker News)
Attackers sent bland lures. Marketing pitches. Obvious spam. They came from compromised legitimate accounts or domains with weak DMARC settings. Once opened, a JavaScript payload called IceCube sprang into action. It escaped its iframe through DOM traversal. Then it grabbed usernames, passwords, session tokens, cookies, and even two-factor authentication data. The script also fingerprinted the victim’s browser. Language settings. Screen resolution. Login form fields. All of it posted back to the attackers’ command server. (CyberScoop)
And the chain didn’t stop. IceCube used the stolen session’s CSRF token to trigger the second vulnerability. That installed a webshell named SquareShell, reachable at the endpoint plugins/newmail_notifier/mail_preview.php. Or it dropped VShell, a Go-based remote administration tool favored by several Chinese groups. VShell offers capabilities similar to Cobalt Strike. In June the operators added a fallback loader called SnowLight, delivered via shell script if the primary path failed. (The Register)
The Real Prize Lies Deeper
Compromised mail servers served as launchpads. From there operators could move laterally into the broader university network. They sought intellectual property, unpublished research, grant proposals, and correspondence with government labs. Universities make attractive marks. They conduct frontier work in sensitive fields. They welcome international students and visiting scholars. Yet many run security postures far weaker than those at defense contractors or Fortune 500 firms.
Proofpoint’s principal threat research engineer Greg Lesnewich described the alignment. “The targeting is consistent with Chinese state intelligence priorities.” He pointed to the focus on physics and defense-adjacent projects. Infrastructure reinforced the conclusion. Command servers sat inside a covert network shared by multiple China-aligned actors. The same groups also used the SnowLight loader. Operational security stayed moderate. No flashy mistakes. But enough signals for clear attribution. (The Next Web)
Lesnewich added a sobering point in interviews. “There is a high likelihood that many victims have not been made aware of this activity yet.” Proofpoint notified the affected universities it identified. It also shared findings with government agencies and industry partners. Still, the campaign shows no signs of slowing. (CyberScoop)
This isn’t an isolated incident. Chinese espionage against academia stretches back years. Operators treat university mail servers like any other edge device. Routers, VPN concentrators, now webmail. The tactic flips older playbooks that relied on spear-phishing for credentials. Here the email itself delivers the exploit. Success requires nothing more than a single unpatched inbox. (The Register)
So universities face hard choices. Patch immediately. But many run legacy systems or lack dedicated security teams. Monitor for unusual web shell activity at those specific PHP endpoints. Segment research networks from general email infrastructure. Treat every inbound message with suspicion even when it looks harmless. The attackers counted on complacency. They found it.
Proofpoint researchers stressed one lesson above all. Email delivery can compromise the mail server itself. Chinese operators will keep testing that boundary. Defenders must protect those systems with the same rigor once reserved for perimeter gateways. Otherwise the next campaign will simply open another inbox. And walk straight through.


WebProNews is an iEntry Publication