Find notable cyber news and cases, enriched with sources, timelines, and signals.

IceCube, SNOWLIGHT, and VShell Roundcube post-exploitation chain

Malware Activity
First reported
Last updated
Happening score
H score 36
3 unique sources, 3 articles

Summary

Hide ▲

IceCube is a Roundcube post-exploitation activity targeting U.S. and Canadian universities and related research organizations, with observed use since May against physics and engineering departments. The chain uses phishing to trigger CVE-2024-42009, load a browser-side stealer that collects usernames, passwords, cookies, 2FA data, and then leverage CVE-2025-49113 to install SquareShell or drop VShell for remote code execution and backdoor access.

Related Happenings

UNK_MassTraction Roundcube university exploitation campaign

Campaign
H score41 First: 07.07.2026 12:10 Last: 07.07.2026 12:10 Sources 1

How related: The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.

About this happening: The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...

Roundcube Webmail actively exploited flaws (multiple vulnerabilities)

Vulnerability
H score33 First: 23.02.2026 13:44 Last: 23.02.2026 13:44 Sources 1

How related: In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube - CVE-2025-49113 (CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.

About this happening: **Roundcube Webmail** is under **active exploitation** through **CVE-2025-49113** and **CVE-2025-68461**, with attackers also chaining **CVE-2024-42009** in phishing-driven intrus...

Latest development: 07.07.2026 18:40

Proofpoint tracked the China-aligned UNK_MassTraction cluster targeting US and Canadian universities, especially physics and engineering departments, by abusing vulnerable Roundcube mail servers. The campaign used phishing emails with malicious content to exploit CVE-2024-42009 and run the IceCube JavaScript payload to steal usernames, passwords, cookies and authentication data, then leveraged CVE-2025-49113 to deploy a webshell or install the VShell backdoor for follow-on access into victim networks.

CISA adds two Roundcube flaws to KEV catalog

Public Sector Action
H score49 First: 21.02.2026 09:21 Last: 21.02.2026 09:21 Sources 1

About this happening: **CISA** added **two Roundcube webmail flaws** to the **KEV catalog** after citing **active exploitation**, increasing urgency for federal remediation. **CVE-2025-49113** is a **C...

Timeline

  1. 07.07.2026 12:10 3 articles · 2d ago

    UNK_MassTraction exploits Roundcube at U.S. and Canadian universities

    Initial Disclosure

    Proofpoint disclosed a new China-aligned campaign tracked as UNK_MassTraction after observing exploitation of Roundcube webmail at physics and engineering departments in U.S. and Canadian universities. The operators chained CVE-2024-42009 credential theft with follow-on exploitation of CVE-2025-49113 to drop VShell, SquareShell, or SNOWLIGHT, and Proofpoint said the activity first appeared in May 2026 with a SquareShell-failure fallback added in June 2026.

    Show sources