China-aligned hackers are stealing credentials from physics and engineering researchers at U.S. and Canadian universities by exploiting known bugs in Roundcube, the open-source webmail client that many academic departments still run. The only thing a target has to do is open the email.
That single open, in the webmail client itself, is enough to fire off the exploit. No attachment, no link click, no user prompt. The attackers behind the campaign, tracked by Proofpoint since May 2026 under the placeholder name UNK_MassTraction, are using that opening against administrators, professors, and lab leads with national-security ties or work in astrophysics and particle physics.
Proofpoint calls the activity a suspected China-aligned espionage operation rather than a confirmed state-backed one, with no U.S. government indictment or CISA advisory to lean on. The lure emails are intentionally generic, the conference-spam and journal-notification kind a faculty member rarely bothers to report. According to BleepingComputer's reporting on the campaign, the low signal is part of why the operation has stayed quiet for months.
UNK_MassTraction chains two cross-site scripting vulnerabilities in Roundcube, CVE-2024-42009 (patched in mid-2024) and CVE-2025-49113 (patched earlier this year), into a credential-stealer that runs the moment a message renders in the inbox. Once inside a faculty mailbox, the attackers can drop a small script, a webshell, for ongoing server access, or push the VShell backdoor into server memory, leaving fewer files on disk for defenders to find. Either route gives the operator a foothold in mail infrastructure that fronts grant systems, instrument control, and the research data itself.
A mailbox compromise inside a physics or engineering department reaches calendar systems, grant workflow, instrument reservations, and shared lab files. A foothold there can extend outward into the parts of a research program most attractive to a foreign intelligence service. That is the structural reason a campaign this narrow keeps paying off.
CyberScoop reports the cluster has focused on a list of physics and engineering departments whose work touches national-security research, not on higher education broadly. The narrow victim pool is part of why the lures read like marketing email: the operators only need a handful of opens to win, and a tight campaign lasts longer than a broad one.
The defensive playbook is the part universities can actually act on. Roundcube is open-source, actively maintained, and the patches for both CVEs are public; Infosecurity Magazine notes the problem is slow rollout inside academic IT, not missing fixes. Mail servers deserve the same patching discipline already applied to VPN concentrators and other remote-access edge devices, and targeted departments need to train administrators and faculty to flag the boring, generic messages as potential intrusions rather than dismissing them as conference noise.
Universities have under-defended mail infrastructure relative to the value of the research sitting behind it, and the long tail of n-day exposure across academic IT is closer to the root cause than any single vendor's patch cadence. Closing the gap means treating mail the same way a research program would treat a shared instrument: as critical infrastructure that earns the same operational scrutiny.
The campaign is still active. As the National Law Review frames it, the broader pattern of intrusions into U.S. university research keeps widening the list of departments that have to assume they are a target. The next test is whether exposed institutions can shorten the gap between a public CVE and a patched Roundcube instance before the lure volume shifts.