China Is Reading Physics Professors' Mail Through a Webmail Bug From 2024 — Delivered With the C2 We Flagged on Monday
- Patrick Duggan
- 1 hour ago
- 4 min read
Proofpoint this week documented a suspected China-aligned cluster it tracks as UNK_MassTraction breaking into Roundcube webmail servers at U.S. and Canadian universities — specifically the physics and engineering departments, specifically administrators and professors, specifically programs with national-security ties or research in astrophysics and particle physics. Fewer than ten universities are confirmed; a few dozen may be affected. The campaign has been running since May. Every technical ingredient in it is something this blog has written about before, which is not a boast — it is the indictment.
The chain: two old bugs, patiently combined
The intrusion chain is a model of economy. Step one exploits CVE-2024-42009 — a cross-site scripting flaw in Roundcube, disclosed in 2024 — to run a JavaScript payload in the victim's webmail session and harvest credentials stored in the browser. Step two takes the session's own cross-site request forgery token and uses it to trigger CVE-2025-49113, a deserialization flaw that yields remote code execution on the mail server itself.
From there the actor installs a PHP webshell Proofpoint calls SquareShell for persistence — and if the webshell fails, the chain falls back to loading VShell, a Go-based backdoor, directly into memory. That fallback was added in June, which tells you the campaign is maintained, iterated, and funded like a product.
Sit with the dates. The XSS is two years old. The deserialization bug was added to CISA's Known Exploited Vulnerabilities catalog in February 2026 — meaning the federal government formally told the world it was being exploited in the wild five months ago. These universities were not beaten by a zero-day. They were beaten by a patch backlog on a mail server, which is the least glamorous and most common way anyone gets beaten.
Every thread of this is a thread we've already pulled
Deserialization leading to remote code execution: that is the same bug class as the SharePoint dynasty we chronicled through Warlock's return on Monday, and the same "oldest religion" we preached about ColdFusion last week — the server takes something the user sent and executes it. Different product, same sin, same collection plate.
VShell: on Monday morning, in our July 4th weekend wrap, we named the C2 diversification we were seeing in our own indicator corpus — Cobalt Strike joined by AdaptixC2, DeimosC2, and VShell — and told detection engineers that spread was the thing to watch. Twenty-four hours later, here is VShell being loaded into memory on university mail servers by a suspected Chinese espionage cluster. This morning it was Iran shipping its own bespoke framework, Cavern. The monoculture is over from both directions at once — open-source frameworks for whoever wants them, custom ones for whoever can afford them.
And the target selection is the quiet part said out loud. Ransomware wants your invoices; this actor wants your physics. Astrophysics and particle-physics departments, professors and administrators, programs adjacent to national security. Email is the perfect collection point for a technology-transfer operation: grant proposals, pre-publication drafts, peer review, visiting-scholar logistics, the informal half of science that never touches a classified system but maps the whole terrain. A soft surface bleeding quietly is worth more to an intelligence service than a loud breach — and university webmail, chronically underpatched and holding a decade of correspondence, is as soft as enterprise surfaces get.
What a university should actually do
Patch Roundcube — both CVEs have fixes, one has had a fix for two years. Then assume the patch is late: hunt for SquareShell-class webshells on the mail host, audit for unexpected PHP in Roundcube directories, and treat any credential harvested through webmail as burned — the JavaScript step means the actor may hold passwords that outlive the server compromise. Rotate accordingly, enforce MFA in front of webmail, and if your institution runs research with national-security adjacency, brief the physics department the way you'd brief the finance department before a wire-fraud season — because to this adversary, they are the finance department.
We hold this at 95 percent, as always. The campaign detail is Proofpoint's research corroborated by CyberScoop and the trade press, not our own capture, and the "China-aligned" attribution carries Proofpoint's own hedge — shared tooling like Go backdoors is suggestive, not conclusive, and we won't pretend otherwise. But the pattern needs no hedge: two known bugs, one on the federal exploited list since February, quietly harvesting the mail of the people inventing the next strategic technology. The holiday weekend's lesson was that quiet is an instrument reading, not a fact about the world. This campaign ran silent for two months in the quietest infrastructure universities own. Distrust the quiet.
Sources: Proofpoint research on UNK_MassTraction via The Hacker News ("Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities," July 7 2026) and CyberScoop; CISA KEV catalog (Roundcube entries added February 2026); DugganUSA prior coverage — "Every Way We Measured the July 4th Weekend Said 'Quiet'" (July 6) and the SharePoint-dynasty series at dugganusa.com.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments