Five-Month Espionage Campaign Targets Stock Exchange Executive's Email

Five-Month Espionage Campaign Targets Stock Exchange Executive's Email

First seen 3 Jun 2026, 16:15 UTC DarkreadingSecuritySecurityaffairs.CoGbhackersScworld+4 85% similarity 70.5

Article Content

Browse articles
ThreatCluster

A five-month-long espionage campaign targeted the email account of a senior executive at a major global stock exchange. The attackers gained access to sensitive information, including emails, calendar events, and contacts, which could influence market movements. The attack began on October 10, 2025, with the installation of two masquerading binaries, armsvc.exe and oneservice.exe, which mimicked legitimate software. The attackers used legitimate cloud services like Dropbox and OneDrive for command and control, making detection difficult. The campaign's active phase commenced on November 12, 2025, when the attackers established a C2 channel via Dropbox. The identity of the attackers remains unknown, and the initial infection vector has not been disclosed. The operation demonstrates a high level of operational discipline and stealth, typical of state-sponsored espionage activities. Current investigations are ongoing, with cybersecurity firms like Symantec and Carbon Black involved.

Key Points: • Attackers accessed a senior executive's email for five months, gathering sensitive information. • Malicious binaries disguised as legitimate software were used to maintain access and exfiltrate data. • The campaign utilized cloud services for command and control, complicating detection efforts.

ThreatCluster AI

Timeline

2025-10-10
Initial malicious activity observed
Attackers installed two masquerading binaries on the target's system, indicating local privilege escalation.
Security
2025-11-12
C2 channel established via Dropbox
Attackers completed an OAuth handshake to obtain a Dropbox API token, facilitating data exfiltration.
Darkreading
2026-03-01
Campaign concluded
The espionage operation is believed to have ended around March 2026, after five months of activity.
Securityaffairs.Co

Community

Browse all →