top of page

China-Linked Hackers Target University Physics Departments in Roundcube Espionage Campaign

  • 13 hours ago
  • 4 min read

A previously unknown espionage group believed to be operating on behalf of China is targeting physics and engineering departments at universities in the United States and Canada, with a particular focus on research tied to national security, astrophysics, and particle physics.


Security researchers at Proofpoint are tracking the activity as UNK_MassTraction. The group is exploiting a chain of vulnerabilities in Roundcube, a widely used open-source webmail platform, to steal credentials, compromise mail servers, and deploy malware inside academic environments.


The campaign highlights a familiar but growing national security problem: some of the world’s most sensitive research does not sit only inside defense contractors or government labs. It also lives in university inboxes, shared research systems, and open academic networks that were built for collaboration, not espionage resistance.


According to Proofpoint, the attackers used CVE-2024-42009, a high-severity cross-site scripting vulnerability in Roundcube, to execute malicious JavaScript when a target opened a crafted phishing email. The flaw allows malicious code hidden in email content to run inside the victim’s webmail session.


Once triggered, the attack loads a JavaScript credential stealer that Proofpoint calls IceCube. The malware is designed to collect usernames, passwords, cookies, two-factor authentication inputs, and browser settings. Researchers said the script contains patterns commonly seen in AI-generated code, suggesting the attackers may have used a large language model to help build or refine parts of the malware.


The group then exploited CVE-2025-49113, a deserialization vulnerability in Roundcube that can enable remote code execution. Proofpoint said IceCube uses the victim’s active session token to deliver serialized PHP data to Roundcube’s database. When processed, the data can execute attacker-controlled commands.


“IceCube attempts to send PHP serialized data containing a PHP gadget to Roundcube's database; when that data is deserialized, the embedded commands execute,” Proofpoint said.


After gaining access, the attackers attempted to install a PHP webshell dubbed SquareShell, giving them persistent remote control over the compromised server. In other cases, they loaded a Go-based backdoor called VShell directly into memory. Proofpoint said the use of Go-based backdoors and shell scripts overlaps with tooling seen in other China-linked cyber operations.


Researchers also found virtual private server infrastructure tied to multiple Chinese threat actors. In earlier activity, the attackers left Chinese-language artifacts in the HTML body of malicious messages, Proofpoint said.


The campaign appears to have involved careful reconnaissance. Proofpoint said the targeted departments were running unpatched Roundcube versions where exploitation could succeed simply by getting the victim to open the email. That suggests the hackers knew which software the universities were using before launching the attacks.


When the primary webshell deployment failed, the attackers used a newer fallback method involving a shell script that launches an architecture-specific ELF loader known as Snowlight. The malware also includes stealth and persistence features. It monitors mouse movement to time execution, attempts to rerun the exploit if the user closes the page or switches tabs, and wipes forensic evidence from the Roundcube server after certain actions or timeouts.


The targeting fits a broader pattern of nation-state cyber espionage against higher education. Universities often hold valuable research tied to advanced science, defense-adjacent technology, energy, materials, aerospace, artificial intelligence, and medicine. But many institutions operate with decentralized IT, legacy systems, limited security budgets, and a culture that prizes open access.


“Universities are some of the most valuable and least defended institutions in the world,” said Seemant Sehgal, founder and CEO of BreachLock. “They hold cutting-edge research, maintain open networks by design, and operate on budgets that rarely match the threat they face. A nation-state actor looking for intellectual property does not need to breach a defense contractor when the same research sits in a university email server running unpatched software. The gap between the value of what these institutions hold and the resources they have to protect it is exactly what sophisticated adversaries have learned to find and exploit.”


For nation-state hackers, the prize is not always a final published paper. In sensitive research fields, early access can be more valuable than the finished result.


“Most research is eventually published – that's not what sustained nation-state campaigns are after,” said Yogita Parulekar, founder and CEO of Invi Grid. “They target two things: research that offers economic advantage, like the race for a way out of pandemic lockdowns, and sensitive, dual-use technology – advanced materials, AI, energy – work with both civilian and military application that often stays unpublished for months or years. The asset isn't the file. It's the lead time, and the economic or military power that comes with it. Protecting sensitive research can't be an afterthought. It has to be proactive, preventive, and built into the baseline.”


The Roundcube campaign also shows how older webmail systems can become high-value espionage targets. Academic departments may run their own infrastructure, delay patching because of limited support staff, or maintain exposed services for researchers who travel and collaborate globally. Attackers can turn those conditions into an entry point.


“Security professionals at universities have no power, all the responsibility, and very little control over their environment,” said John Strand, owner of Black Hills Information Security. “Universities are notoriously difficult to defend, which is exactly why they’re such attractive targets for nation-state adversaries. They’re home to cutting-edge research, innovation, and the ideas that will shape the future, making them prime targets for cyber espionage.


“Universities are designed to encourage openness, collaboration, and research, which often runs counter to traditional security controls. Unfortunately, those same characteristics make them very appealing targets for nation-state attackers.”


The campaign should push universities to treat exposed email platforms as critical infrastructure, particularly in departments handling sensitive or dual-use research. Security teams should prioritize patching Roundcube, hunt for signs of webshells or Go-based backdoors, review suspicious webmail sessions, inspect server logs for deserialization attempts, and monitor for unusual outbound connections to virtual private server infrastructure.


For research institutions, the broader lesson is clear: academic openness and national security value now coexist in the same inbox. Adversaries know it, and they are increasingly willing to exploit even a single unpatched webmail server to get there.

bottom of page