www.security.com
Five-Month Espionage Campaign Targets Stock Exchange Executive's Email
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A five-month-long espionage campaign targeted the email account of a senior executive at a major global stock exchange. The attackers gained access to sensitive information, including emails, calendar events, and contacts, which could influence market movements. The attack began on October 10, 2025, with the installation of two masquerading binaries, armsvc.exe and oneservice.exe, which mimicked legitimate software. The attackers used legitimate cloud services like Dropbox and OneDrive for command and control, making detection difficult. The campaign's active phase commenced on November 12, 2025, when the attackers established a C2 channel via Dropbox. The identity of the attackers remains unknown, and the initial infection vector has not been disclosed. The operation demonstrates a high level of operational discipline and stealth, typical of state-sponsored espionage activities. Current investigations are ongoing, with cybersecurity firms like Symantec and Carbon Black involved.
Key Points: • Attackers accessed a senior executive's email for five months, gathering sensitive information. • Malicious binaries disguised as legitimate software were used to maintain access and exfiltrate data. • The campaign utilized cloud services for command and control, complicating detection efforts.