ctipilot.ch

IceCube

tool · tool:icecube-stealer single-source

JavaScript Roundcube stealer delivered via a CVE-2024-42009 XSS that escapes the mail client's iframe by DOM traversal to reach the authenticated session, harvesting credentials/2FA material/cookies, then uses 'helper' modules to trigger CVE-2025-49113 deserialization for a webshell/backdoor foothold; likely LLM-assisted code. Attributed to UNK_MassTraction (Proofpoint, 2026-07-07).

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
3
see Related entities below
ATT&CK techniques
5
pinned v19.1 · see below

Hunting pivots

Affected products
Roundcube Webmail

ATT&CK techniques

5 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · ATT&CK page ↗

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · ATT&CK page ↗

Execution TA0002

T1203Exploitation for Client Execution×1

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · ATT&CK page ↗

Stealth TA0005

T1620Reflective Code Loading×1

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · ATT&CK page ↗

Story timeline

  1. 2026-07-09UNK_MassTraction: suspected China-aligned actor exploits Roundcube as an edge device, chaining CVE-2024-42009 XSS into CVE-2025-49113 deserialization
    active-threatsProofpoint: China-aligned cluster turns a viewed email into a Roundcube foothold — XSS-delivered IceCube stealer chains into a deserialization webshell

Where this entity is cited

  • active-threats1

Source distribution

  • proofpoint.com1 (100%)

Related entities

Entries about IceCube (1)

2026-07-09 · view entry permalink →

NOTABLECVE-2024-42009 +1exploitedNATOB2

UNK_MassTraction: suspected China-aligned actor exploits Roundcube as an edge device, chaining CVE-2024-42009 XSS into CVE-2025-49113 deserialization

Proofpoint Threat Research documented UNK_MassTraction, a suspected China-aligned espionage cluster that since May 2026 has targeted physics and engineering departments at US and Canadian universities by exploiting Roundcube webmail as an edge device rather than phishing end users for credentials (Proofpoint, 2026-07-07). The initial vector is CVE-2024-42009, a Roundcube XSS that executes attacker JavaScript via the onanimationstart handler the moment a crafted email is opened in a vulnerable client — no attachment or link click required (T1566 delivery, T1203 client-side execution). That JavaScript loads IceCube, a Roundcube stealer that escapes the mail client's iframe by DOM traversal to reach the full DOM and the authenticated session, harvesting usernames, passwords, 2FA material and cookies; Proofpoint notes IceCube's verbose, well-commented code was likely produced with LLM assistance (Proofpoint, 2026-07-07).

IceCube then uses "helper" modules and the session's CSRF token to trigger CVE-2025-49113, a PHP object-deserialization flaw in Roundcube's handling of the embedded Crypt_GPG_Engine: a serialized gadget whose __destruct() passes _gpgconf into a shell-execution path lets the actor plant the SquareShell webshell into a plugin directory — timestomped to match a legitimate plugin — for remote code execution (T1190 server-side exploitation, T1505.003 web shell) (Proofpoint, 2026-07-07). A fallback channel introduced in June 2026 downloads an architecture-specific ELF loader that reflectively loads the publicly available VShell Go backdoor into memory (T1620), spoofing a kernel-worker process name; VShell's interactive shell and port-forwarding are the likely pivot into the target network. IceCube also installs "deferred triggers" that re-attempt exploitation if the user changes tabs or clicks logout, then destroys Roundcube sessions to force logout and remove forensic evidence. Attribution to a China-aligned actor rests on covert-VPS infrastructure reuse across China-aligned actors, Chinese-language build artifacts, and VShell tradecraft precedent (cited as tooling overlap, not the same actor) (Proofpoint, 2026-07-07).

The campaign uses an initial cross-site scripting (XSS) vulnerability to execute JavaScript inside of the victim browser.

IceCube will use what it calls “helpers” to exploit a second Roundcube vulnerability, a deserialization exploit (CVE-2025-49113) that abuses the parsing of the embedded Crypt_GPG_Engine to install a simple webshell we call SquareShell.

Chinese adversaries have previously used exploits against mailservers in a similar manner: treating them as edge devices to pivot into a target network.

Proofpoint Threat Research 2026-07-07
threat09 Jul 20:42Zsingle-sourceOpen finding ↗