Proofpoint researchers identified fewer than 10 confirmed university intrusions and estimate a “few dozen” may be affected after attackers chained two Roundcube vulnerabilities — CVE-2024-42009 and CVE-2025-49113 — to steal credentials and establish persistent access.
The exploit chain: CVE-2024-42009 → CVE-2025-49113
Proofpoint traced the campaign to a two-step exploitation chain against Roundcube, an open-source webmail client. The cluster exploited CVE-2024-42009 to execute JavaScript inside a victim’s browser, then leveraged CVE-2025-49113 to gain a foothold on the mailserver. The initial exploit in the chain requires only that a recipient open an email; attackers delivered a series of generic lures to trigger that initial access.
Targets: U.S. and Canadian universities — physics and engineering departments
Proofpoint reported intrusions into the networks of U.S. and Canadian universities that focused on physics and engineering departments. The company said attackers targeted administrators and professors who have national security links, as well as organizations researching astrophysics and particle physics. Proofpoint identified fewer than 10 university victims and estimated a few dozen may be impacted.
Attribution and artifacts: UNK_MassTraction, VShell, and Chinese-language traces
Proofpoint tracks the cluster as UNK_MassTraction and attributes the activity to China-aligned attackers. Researchers cited multiple pieces of evidence: use of a covert network previously used by multiple China-aligned threat groups, an infection chain that led to VShell, and Chinese-language artifacts present in phishing emails. Proofpoint’s principal threat researcher, Greg Lesnewich, said the engineering aspects “do align with China’s strategic initiatives,” though researchers have not drawn conclusions about what was taken or why specific universities were chosen.
Timeline and scope: observed in May and believed to be ongoing
Proofpoint first observed the campaign in May and assesses the operation is ongoing. Lesnewich warned: “There is a high likelihood that many victims have not been made aware of this activity yet.” The company also noted a limitation of its own visibility: “We do not have data to suggest what got stolen, as we only observe the initial inbound email attempt.” Researchers reported attackers used webshells and backdoors to establish long-term access after compromising mailservers.
What this means for technologists, university administrators, and incident responders
- Technologists and security teams: The campaign demonstrates attackers using email to compromise a server rather than an end user. As Lesnewich observed, “This campaign flips that on its head, using email to deliver an exploit chain to compromise a mail server, instead of using email to deliver a credential harvesting URL or malware to target an end user, not a server.” Teams responsible for mail infrastructure and webmail software should take the Roundcube CVE chain and the presence of webshells/backdoors into account when triaging alerts and forensic data.
- University administrators and affected researchers: Proofpoint’s findings single out physics and engineering departments and staff with national security links, plus groups working in astrophysics and particle physics. Administrators should be aware that fewer than 10 intrusions were confirmed but that “a few dozen” universities might be impacted, and that many victims may not yet know of the activity.
- Incident responders and investigators: Proofpoint’s telemetry captured inbound email attempts but not downstream activity, so responders may need mailserver and network telemetry to determine whether credential theft and persistent access succeeded. The reported infection chain led to VShell and left language artifacts; those are concrete indicators to search for during forensic reviews.
Proofpoint’s account places this campaign in a broader pattern: Google threat hunters recently reported a Chinese state-sponsored espionage group that maintained long-term access across academia, medicine, military, cybersecurity and foreign policy. Proofpoint’s report highlights a tactical shift — using email as the delivery vehicle to compromise a server-based mail client — and leaves three immediate, concrete questions: how many universities beyond those identified were successfully breached, what data (if any) was exfiltrated, and whether the chain is being reused against other sectors. For now, researchers say the campaign remains active, the vulnerabilities are specific and identifiable, and many potentially affected institutions may not yet be aware they should look for traces.
Original story: https://cyberscoop.com/china-espionage-attacks-us-canada-universities-proofpoint/




