SYMBOLCOMMON_NAMEaka. SYNONYMS
js.icecube (Back to overview)

IceCube


According to Proofpoint, IceCube is a JavaScript-based stealer likely developed with the assistance of a large language model, targeting Roundcube webmail instances. It escapes the webmail's iFrame context via DOM traversal to access the full document and the authentication session, then exfiltrates usernames, passwords, two-factor authentication material, cookies, and browser reconnaissance data (such as language, screen size, and form field values) via HTTP POST to its command-and-control server. The malware is heavily commented with well-marked execution phases, and incorporates self-cleanup routines, "fallbacks" for failed exploitation steps, and "deferred triggers" that hook browser events such as tab changes, mouse leaving the window, and the logout button to re-attempt exploitation. After successful server-side exploitation, it destroys both user and malware-initiated sessions to remove forensic evidence from the Roundcube server.

References
2026-07-07ProofpointGreg Lesnewich, Mark Kelly, Proofpoint Threat Research Team
One Email Closer to the Edge: UNK_MassTraction & the Physics of Exploitation
IceCube

There is no Yara-Signature yet.