IceCube, SNOWLIGHT, and VShell Roundcube post-exploitation chain
Malware Activity
Summary
Hide ▲
Show ▼
IceCube is a Roundcube post-exploitation activity targeting U.S. and Canadian universities and related research organizations, with observed use since May against physics and engineering departments. The chain uses phishing to trigger CVE-2024-42009, load a browser-side stealer that collects usernames, passwords, cookies, 2FA data, and then leverage CVE-2025-49113 to install SquareShell or drop VShell for remote code execution and backdoor access.
Related Happenings
UNK_MassTraction Roundcube university exploitation campaign
Campaign
H score41
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
How related:
The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.
About this happening:
The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
UNK_MassTraction Roundcube university exploitation campaign
CampaignHow related: The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.
About this happening: The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
Roundcube Webmail actively exploited flaws (multiple vulnerabilities)
Vulnerability
H score33
First: 23.02.2026 13:44
Last: 23.02.2026 13:44
Sources 1
How related:
In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube - CVE-2025-49113 (CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
About this happening:
**Roundcube Webmail** is under **active exploitation** through **CVE-2025-49113** and **CVE-2025-68461**, with attackers also chaining **CVE-2024-42009** in phishing-driven intrus...
Roundcube Webmail actively exploited flaws (multiple vulnerabilities)
VulnerabilityHow related: In the next step, IceCube leverages the session's CSRF token to weaponize a second post-authenticated remote code execution flaw in Roundcube - CVE-2025-49113 (CVSS score: 9.9) - with the goal of obtaining a foothold in the mail server and dropping VShell or a web shell dubbed SquareShell in memory.
About this happening: **Roundcube Webmail** is under **active exploitation** through **CVE-2025-49113** and **CVE-2025-68461**, with attackers also chaining **CVE-2024-42009** in phishing-driven intrus...
Latest development: 07.07.2026 18:40
Proofpoint tracked the China-aligned UNK_MassTraction cluster targeting US and Canadian universities, especially physics and engineering departments, by abusing vulnerable Roundcube mail servers. The campaign used phishing emails with malicious content to exploit CVE-2024-42009 and run the IceCube JavaScript payload to steal usernames, passwords, cookies and authentication data, then leveraged CVE-2025-49113 to deploy a webshell or install the VShell backdoor for follow-on access into victim networks.
CISA adds two Roundcube flaws to KEV catalog
Public Sector Action
H score49
First: 21.02.2026 09:21
Last: 21.02.2026 09:21
Sources 1
About this happening:
**CISA** added **two Roundcube webmail flaws** to the **KEV catalog** after citing **active exploitation**, increasing urgency for federal remediation. **CVE-2025-49113** is a **C...
CISA adds two Roundcube flaws to KEV catalog
Public Sector ActionAbout this happening: **CISA** added **two Roundcube webmail flaws** to the **KEV catalog** after citing **active exploitation**, increasing urgency for federal remediation. **CVE-2025-49113** is a **C...
Timeline
-
07.07.2026 12:10 3 articles · 2d ago
UNK_MassTraction exploits Roundcube at U.S. and Canadian universities
Initial DisclosureProofpoint disclosed a new China-aligned campaign tracked as UNK_MassTraction after observing exploitation of Roundcube webmail at physics and engineering departments in U.S. and Canadian universities. The operators chained CVE-2024-42009 credential theft with follow-on exploitation of CVE-2025-49113 to drop VShell, SquareShell, or SNOWLIGHT, and Proofpoint said the activity first appeared in May 2026 with a SquareShell-failure fallback added in June 2026.
Show sources
- Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities — thehackernews.com — 07.07.2026 12:10
- Suspected Chinese Threat Group Targets Universities via Vulnerable Roundcube Servers — www.infosecurity-magazine.com — 07.07.2026 18:40
- Hackers exploit Roundcube flaw to spy on academic researchers — www.bleepingcomputer.com — 08.07.2026 21:56