
Suspected Chinese spies have been breaking into major US and Canadian universities since May, exploiting vulns in Roundcube mailservers to steal data belonging to physics and engineering administrators and professors, according to Proofpoint threat researchers. Proofpoint directly observed less than 10" universities targeted in these intrusions, Greg Lesnewich, principal threat research engineer at Proofpoint, told The Register. We estimate the total volume of targets would be a few dozen universities, but stress that this is at best a guess, not substantiated by our data." While the most recent sighting occurred in early June, we believe it is likely that the campaign is ongoing," Lesnewich said. The email security shop tracks the crew as UNK_MassTraction, and says that it focuses on individuals in departments with national security ties or in astrophysics and particle physics - all topics that support Beijing's intelligence-gathering goals and, as such, are frequently targeted by government-backed cyber goons. To gain initial access, the intruders exploit CVE-2024-42009, a cross-site scripting vulnerability in Roundcube that only requires that the email is opened in the mail client to achieve access to the server. The targeted departments were likely specifically chosen because they were all running [vulnerable] versions of Roundcube ... indicating that UNK_MassTraction had conducted reconnaissance into the targets prior to conducting the campaign," the threat hunters wrote in a Tuesday blog. While the espionage activity is similar to an earlier campaign disclosed by Trellix that used a filename parsing vulnerability to deliver VShell malware, a Go-based backdoor used primarily by Chinese APT groups for remote access, file operations, and post-exploitation control, Proofpoint says it cannot definitely link this earlier activity to UNK_MassTraction. It all starts with a generic phishing email The UNK_MassTraction attack chain begins with a phishing email sent to university departments from both compromised legitimate senders and abused domains vulnerable to spoofing. According to the threat hunters, the lures are generic, sometimes purporting to be a university marketing message, and this could imply a larger targeting swath" than Proofpoint observed. It could also indicate an attempt to resemble marketing or spam content because targets may open the email but ultimately overlook it (and not investigate it), which is still sufficient for the actor to gain access," they wrote. Opening the email triggers CVE-2024-42009. The bug abuses a desanitization issue, and can allow remote attackers to steal and send messages. Once the user opens the email in the webmail client of a vulnerable Roundcube instance, a JavaScript loader stored in the message body executes, and allows the attacker to remotely deliver a fully functioning stealer called IceCube. IceCube first escapes Roundcube's iFrame instantiation via DOM traversal, which gives the stealer access to the entire Document Object Model (DOM) in the browser and Roundcube authentication session. Then it sets to work stealing usernames, passwords, session tokens, and cookies, and it also conducts reconnaissance against the browser, collecting info on the language in use, screen size, and form field values. The stealer sends this initial data to the attacker's command-and-control servers via HTTP POST, and then uses the session's CSRF token to set up gadgets to exploit another Roundcube vulnerability. This one, a deserialization exploit tracked as CVE-2025-49113, allows the miscreants to install a webshell called SquareShell that allows for remote code execution, as well as a VShell implant. Proofpoint notes that its researchers scanned for SquareShell on compromised servers, and coordinated with government and industry partners to notify the identified victims. As of June, the threat hunters also observed the attackers introducing a fallback channel in case the original webshell deployment didn't work. Previously, if the webshell didn't execute, the attack chain would fail. More links to PRC-backed spies The fallback channel executes a shell script that sets up the execution of another loader that Google tracks as SnowLight. The shell script has been used in other exploit-driven intrusions by Chinese adversaries, likely indicating a privately shared capability," Proofpoint notes. Proofpoint's security sleuths say that they have identified several cases" of virtual private server IP addresses within the headers of the phishing emails that belong to a covert infrastructure network likely used by multiple China-aligned threat actors." The access to this network, along with the low-volume targeting of US and Canadian universities, VShell usage, and Chinese-language artifacts within the phishing emails, leads us to assess that UNK_MassTraction is likely a China-aligned espionage motivated threat actor that has demonstrated moderate operational security awareness," the team wrote.(R)