China-aligned attackers have breached networks at U.S. and Canadian universities, seeking to exfiltrate sensitive academic and research data. Proofpoint threat researchers disclosed on Tuesday that the sophisticated cyber espionage campaign has been ongoing, targeting institutions with advanced research in fields potentially relevant to national security.
The espionage actors have successfully infiltrated the systems of less than 10 universities identified by Proofpoint, with estimates suggesting dozens more may be impacted. These attacks specifically targeted physics and engineering departments, with a focus on administrators and professors involved in astrophysics, particle physics, and other sensitive research areas. The campaign was first detected in May and is believed to be active.
University Network Breaches Linked to China-Aligned Group
Proofpoint researchers traced the infiltration to the exploitation of two critical vulnerabilities in Roundcube, a widely used open-source email client. By chaining together CVE-2024-4026 and CVE-2025-49113, attackers gained the ability to execute malicious JavaScript within a victim’s browser and subsequently establish persistent access to mail servers. This exploit chain highlights a novel approach by the threat actors.
Unlike typical phishing attacks that aim to collect end-user credentials or deliver malware directly to workstations, this campaign focused on compromising the mail server itself. “This campaign flips that on its head,” noted Greg Lesnewich, principal threat researcher at Proofpoint, explaining that the initial exploit chain allows for direct server compromise via an email. The attackers reportedly used generic lures to trigger the exploit once a victim opened a malicious email.
Attribution and Motivation
Multiple indicators point to a China-aligned threat cluster for these operations. The attackers employed a known covert network infrastructure utilized by several China-aligned threat groups. Additionally, the campaign resulted in the deployment of VShell, a remote access tool often associated with these groups, and Chinese language artifacts were found within the phishing emails. This consistent pattern of activity strengthens the attribution.
However, Proofpoint researchers have not yet concluded the specific motivations or the exact nature of the data being stolen. “We do not have data to suggest what got stolen, as we only observe the initial inbound email attempt,” Lesnewich stated. The focus on engineering and physics departments aligns with China’s national strategic objectives, which often include the acquisition of advanced technological and scientific research.
Meanwhile, the broader landscape of cyber threats from state-sponsored actors continues to evolve. Google threat hunters recently reported on a Chinese state-sponsored espionage group that maintained long-term access across various sectors, including academia, medicine, and defense. While the methods differ, the overarching goal of data acquisition for strategic advantage appears consistent.
The current campaign’s reliance on exploiting mail server vulnerabilities rather than targeting individual users or network edge devices like routers represents a significant shift in tactics for China-aligned adversaries. This allows for potentially broader and more direct access to sensitive institutional data.
Many of the impacted universities may still be unaware of the breaches. Proofpoint urges organizations to review their internal security logs for signs of compromise and to patch the identified Roundcube vulnerabilities promptly. The ongoing nature of the campaign means vigilance and proactive threat hunting are crucial next steps for academic institutions, particularly those engaged in sensitive research.

