Particle.news

China-Aligned Hackers Exploit Roundcube Flaws to Breach University Mail Servers

Proofpoint says the chained exploits steal browser credentials to install webshells or VShell, creating persistent access into campus networks.

Overview

  • Proofpoint first observed the campaign in May and on July 7 said it remains active with fewer than 10 confirmed university victims and a suspected few dozen more.
  • The attackers chain two known Roundcube flaws by using CVE-2024-42009 to run a JavaScript payload called IceCube that harvests usernames, passwords, two-factor tokens and cookies before abusing CVE-2025-49113 to gain server footholds.
  • After server access the intruders deploy a PHP webshell called SquareShell or a memory-only backdoor called VShell and in June added a fallback shell script that fetches an ELF loader known as SNOWLIGHT.
  • IceCube uses deferred triggers that reattempt exploitation and that destroy sessions to erase forensic traces, which helps the operators stay stealthy while they maintain persistent access.
  • Proofpoint urges institutions to patch Roundcube, harden mail servers, search for webshells and memory-resident tools, and assume some victims may be unaware because investigators have limited visibility into any post-compromise data access.