Researchers at cybersecurity firm Proofpoint have discovered that a “suspected China-aligned threat cluster named UNK_MassTraction” is attacking mailservers belonging to physics and engineering departments of U.S. and Canadian based universities. They have been tracking the activity since May 2026.
The threat actors are exploiting multiple n-day cross-site scripting vulnerabilities in Roundcube mailservers to “steal credentials and either install a webshell for follow-on access or deploy the VShell backdoor into the server’s memory.” The threat actors are targeting administrators and professors that have national security ties or are focusing on astrophysics and particle physics. According to Proofpoint, “the exploit only requires that the email is opened in the mail client to achieve access to the mailserver.” The messages sent to the administrators and professors were generic and innocuous, including resembling marketing or spam messages, so when the targets open the message, they overlook it and fail to report it to IT. However, the mere opening of the email (without having to interact with it) was enough for the threat actors to gain access to the content.
The scheme is quite elaborate, and if you want to learn more about its technicalities, read Proofpoint’s blog outlining the scheme in detail. Proofpoint reminds universities that “email delivery can facilitate compromise of mailservers, and that Chinese operators will continue to treat them like any other edge device. Defenders should prioritize defending the mailservers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks.”
I would add that universities conducting research related to national security, physics, astrophysics, particle physics, and engineering recognize that adversaries are very interested in stealing the vital and valuable information they maintain. Therefore, they should consider implementing strong cybersecurity measures to protect that information, including training all administrators and professors in those departments about how they are specifically targeted by adversaries, and their crucial role in protecting the information from disclosure for national security.