Researchers at cybersecurity firm Proofpoint have discovered that a “suspected China-aligned threat cluster named UNK_MassTraction” is attacking mailservers belonging to physics and engineering departments of U.S. and Canadian based universities. They have been tracking the activity since May 2026.

The threat actors are exploiting multiple n-day cross-site scripting vulnerabilities in Roundcube mailservers to “steal credentials and either install a webshell for follow-on access or deploy the VShell backdoor into the server’s memory.” The threat actors are targeting administrators and professors that have national security ties or are focusing on astrophysics and particle physics. According to Proofpoint, “the exploit only requires that the email is opened in the mail client to achieve access to the mailserver.” The messages sent to the administrators and professors were generic and innocuous, including resembling marketing or spam messages, so when the targets open the message, they overlook it and fail to report it to IT. However, the mere opening of the email (without having to interact with it) was enough for the threat actors to gain access to the content.

The scheme is quite elaborate, and if you want to learn more about its technicalities, read Proofpoint’s blog outlining the scheme in detail. Proofpoint reminds universities that “email delivery can facilitate compromise of mailservers, and that Chinese operators will continue to treat them like any other edge device. Defenders should prioritize defending the mailservers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks.”

I would add that universities conducting research related to national security, physics, astrophysics, particle physics, and engineering recognize that adversaries are very interested in stealing the vital and valuable information they maintain. Therefore, they should consider implementing strong cybersecurity measures to protect that information, including training all administrators and professors in those departments about how they are specifically targeted by adversaries, and their crucial role in protecting the information from disclosure for national security.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.