Overview
- Proofpoint first observed the campaign in May and on July 7 said it remains active with fewer than 10 confirmed university victims and a suspected few dozen more.
- The attackers chain two known Roundcube flaws by using CVE-2024-42009 to run a JavaScript payload called IceCube that harvests usernames, passwords, two-factor tokens and cookies before abusing CVE-2025-49113 to gain server footholds.
- After server access the intruders deploy a PHP webshell called SquareShell or a memory-only backdoor called VShell and in June added a fallback shell script that fetches an ELF loader known as SNOWLIGHT.
- IceCube uses deferred triggers that reattempt exploitation and that destroy sessions to erase forensic traces, which helps the operators stay stealthy while they maintain persistent access.
- Proofpoint urges institutions to patch Roundcube, harden mail servers, search for webshells and memory-resident tools, and assume some victims may be unaware because investigators have limited visibility into any post-compromise data access.