Back

Email Espionage Campaign Targets Global Stock Exchange Executive

Severity: High (Score: 71.5)

Sources: www.security.com, Darkreading

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: stock, exchange, espionage, email, global, campaign, senior

Severity indicators: global campaign, global

Summary

A five-month email espionage campaign compromised the mailbox of a senior executive at a major global stock exchange. The attackers gained access to sensitive information, including contacts, calendar events, and business negotiations. Utilizing legitimate tools like Dropbox and OneDrive for command and control, the threat actors maintained stealth and evaded detection for months. The initial signs of malicious activity were observed on October 10, 2025, with two masquerading binaries installed on the target's system. The attackers achieved local privilege escalation and established a C2 channel via Dropbox by November 12, 2025. The identity of the attackers remains unknown, and the method of initial access is still under investigation. This incident highlights the risks associated with targeted email attacks on high-profile individuals in the finance sector. Key Points: • A senior executive's email at a global stock exchange was compromised for five months. • Attackers used legitimate cloud services for command and control to avoid detection. • Initial malicious activity was detected on October 10, 2025, with escalation occurring shortly after.

Detailed Analysis

**Impact** A senior executive at a major global stock exchange was targeted in a five-month espionage campaign, resulting in near-continuous access to their Microsoft Outlook mailbox. The attacker exfiltrated emails containing sensitive information such as external negotiations, internal deliberations, calendar events, travel patterns, and contacts. This exposure risks non-public financial data, enforcement actions, and market-moving events, potentially impacting the financial sector globally. The compromise spanned from at least August 2025 through mid-February 2026. **Technical Details** Initial infection vector remains unknown; first observed malicious activity began October 10, 2025, with two SYSTEM-level implants masquerading as Adobe Acrobat Reader Update and OneDrive setup binaries. Persistence was maintained via scheduled tasks running every five minutes and every 300 minutes, disguised as legitimate services including a Lenovo system health check. Data exfiltration used OAuth-authenticated Dropbox API calls with a single persistent app client_id and client_secret, uploading stolen emails converted locally using a legitimate Aspose .NET library. The attacker employed native Windows tools and public cloud services to blend with legitimate traffic. Final observed activity was March 19, 2026, after which access was lost. No CVEs exploited or specific malware hashes were disclosed. **Recommended Response** Monitor for unusual scheduled tasks, especially those mimicking legitimate services with high-frequency triggers. Detect and block unauthorized OAuth applications and anomalous Dropbox API usage. Harden endpoint security by restricting creation of persistent scheduled tasks and monitor for masquerading binaries in common application data paths. Investigate any lateral movement indicators and review administrative privileges on critical hosts. No patches or CVEs were specified; focus on behavioral detection and network monitoring for cloud service abuse.

Source articles (2)

  • Global Stock Exchange Hit by Monthslong Email Campaign — Darkreading · 2026-06-03
    A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools. An unknown hacker or hackers managed to spy on…
  • Stock Exchange Espionage — www.security.com · 2026-06-03
    A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target…

Timeline

  • 2025-10-10 — First signs of malicious activity observed: Malicious binaries were installed on the executive's system, indicating initial compromise.
  • 2025-11-12 — C2 channel established via Dropbox: The attackers completed an OAuth handshake to obtain a Dropbox API token for data exfiltration.
  • 2026-06-03 — Incident reported publicly: The espionage campaign was disclosed by cybersecurity researchers from Symantec and Carbon Black.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • onedrive.live.com (Domain)
  • Financial (Industry)
  • 13.107.137.11 (Ipv4)
  • 150.171.41.11 (Ipv4)
  • 51.91.79.17 (Ipv4)
  • FRPC (Tool)
  • Dropbox (Tool)
  • OneDrive (Tool)
  • Aspose (Tool)
  • Curl (Tool)
  • Secretsdump (Tool)
  • Mailbox Infostealer (Malware)
  • SharpDecryptPwd (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1548.002 - Bypass User Account Control (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Adobe (Company)
  • Lenovo (Company)
  • Windows (Platform)
  • 02048121fd0b3a51751ce7677155aa8818eba9d8ce67ea26fd1d7f43cfcdabd2 (Sha256)
  • 22f335a65c479c26019f6187dae290624117c82a702a96acbb04fa325f730d3e (Sha256)
  • 3aae5a24e63f3cb1ca4759b9e4ee8e503ff139189423f5fd8cc923c6819697ca (Sha256)
  • 3b6cb20891bce8602ce669187754871e402a1782031ef8b032cd007e3894bc5d (Sha256)
  • 611db3195d55e871dce67ce5c41e894bbaab88dd0d019af68f5a259f0108aef7 (Sha256)
  • 6a69ea2ce3fea0ebfd7a32a1dfc4251bd4d7d8a4fbd44aaa47b82290d0414a9f (Sha256)
  • 6c700ca4e6d917c7aa9d964e98604a0349d9b8b4673df96a3f73a3d2d042635a (Sha256)
  • 8b283c954d19a839a724961ccaf025c56988c4e745acb2d31a15a006cda072bf (Sha256)
  • 8c0871cd0f60bc603424e948a689945a1828d0bef926a6470ae18cf17d93f7cb (Sha256)
  • acf5ed6e5bb90c44683938f35efeca551428064cdedbbaab8be69e3474fb806f (Sha256)
  • cf731b82c471211938b210ae8a6dcc7ece4f44371e716f056fa05151a9910727 (Sha256)
  • d5e42104292513232d26ad7d9d317b5c779577da43e28fe27f8c2fb9318b0e8e (Sha256)
  • d78f64551d1b31a31e5998e442f0debd458e011e05019b3951d9ddde997f8384 (Sha256)
  • db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622 (Sha256)
  • eaff006ac0eb7f7fe4db5fc6a4b5b1dc272d83ced66d510dcea185b1278bb453 (Sha256)
  • f72a8b71f12eaab6518873f72ea4be4572d9f3fb8e8706ade3b9a7314f236f22 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed