Back

Five-Month Espionage Campaign Targets Stock Exchange Executive's Email

Severity: High (Score: 70.5)

Sources: www.security.com, Darkreading, Security, Securityaffairs.Co

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: stock, exchange, espionage, email, global, campaign, senior

Severity indicators: global campaign, global

Summary

A five-month-long espionage campaign targeted the email account of a senior executive at a major global stock exchange. The attackers gained access to sensitive information, including emails, calendar events, and contacts, which could influence market movements. The attack began on October 10, 2025, with the installation of two masquerading binaries, armsvc.exe and oneservice.exe, which mimicked legitimate software. The attackers used legitimate cloud services like Dropbox and OneDrive for command and control, making detection difficult. The campaign's active phase commenced on November 12, 2025, when the attackers established a C2 channel via Dropbox. The identity of the attackers remains unknown, and the initial infection vector has not been disclosed. The operation demonstrates a high level of operational discipline and stealth, typical of state-sponsored espionage activities. Current investigations are ongoing, with cybersecurity firms like Symantec and Carbon Black involved. Key Points: • Attackers accessed a senior executive's email for five months, gathering sensitive information. • Malicious binaries disguised as legitimate software were used to maintain access and exfiltrate data. • The campaign utilized cloud services for command and control, complicating detection efforts.

Detailed Analysis

**Impact** A senior executive at a major global stock exchange was targeted, with the attackers maintaining access to the executive’s Outlook email account for approximately five months (October 2025 to March 2026). The compromised data included emails, calendar events, travel patterns, contacts, and potentially non-public market-moving information and enforcement actions. This exposure risks significant operational and strategic intelligence leakage affecting the financial sector globally. The breach was limited to a single high-value individual but provided attackers with a near-complete view of the target’s professional activities. **Technical Details** Initial infection vector remains unknown. By October 10, 2025, attackers had deployed two SYSTEM-level masquerading binaries (armsvc.exe and oneservice.exe) mimicking Adobe and OneDrive services, achieving local privilege escalation. Persistence was maintained via scheduled tasks running every five minutes and every 300 minutes, disguised as legitimate system services. Data exfiltration used OAuth-authenticated Dropbox API calls via a persistent Dropbox app, with exfiltrated emails converted locally using a legitimate Aspose .NET library. Command and control infrastructure leveraged legitimate cloud services (Dropbox and OneDrive) and public tools to blend with normal traffic. No CVEs exploited or specific IOCs were disclosed. **Recommended Response** Monitor for unusual scheduled tasks, especially those mimicking Adobe or Lenovo system services, and review OAuth token usage related to cloud storage services like Dropbox. Harden endpoint security by restricting execution paths for system services and validating scheduled task registrations. Deploy detections for abnormal use of legitimate APIs and monitor for unusual data transfers to cloud services. Investigate any persistence mechanisms using system-level scheduled tasks and review privilege escalation vectors on affected hosts. No specific patches were identified in the reports.

Source articles (4)

  • Global Stock Exchange Hit by Monthslong Email Campaign — Darkreading · 2026-06-03
    A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools. An unknown hacker or hackers managed to spy on…
  • Stock Exchange Espionage — www.security.com · 2026-06-03
    A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target…
  • Espionage Campaign Targeted Stock Exchange Executive for Five Months — Security · 2026-06-03
    A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target…
  • Cyber espionage campaign targeted stock exchange executive’s Outlook account — Securityaffairs.Co · 2026-06-03
    Attackers spent five months silently stealing emails from a stock exchange executive’s Outlook account in a suspected espionage operation. A threat actor quietly sat inside a senior executive’s Outloo…

Timeline

  • 2025-10-10 — Initial malicious activity observed: Attackers installed two masquerading binaries on the target's system, indicating local privilege escalation.
  • 2025-11-12 — C2 channel established via Dropbox: Attackers completed an OAuth handshake to obtain a Dropbox API token, facilitating data exfiltration.
  • 2026-03-01 — Campaign concluded: The espionage operation is believed to have ended around March 2026, after five months of activity.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • onedrive.live.com (Domain)
  • Financial (Industry)
  • 13.107.137.11 (Ipv4)
  • 150.171.41.11 (Ipv4)
  • 51.91.79.17 (Ipv4)
  • FRPC (Tool)
  • Dropbox (Tool)
  • OneDrive (Tool)
  • Armdriver.exe (Tool)
  • Aspose (Tool)
  • Aspose.exe (Tool)
  • Curl (Tool)
  • Onedrivesync.exe (Tool)
  • Schtasks (Tool)
  • Secretsdump (Tool)
  • Te.exe (Tool)
  • Te.host.dll (Tool)
  • Mailbox Infostealer (Malware)
  • SharpDecryptPwd (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1548.002 - Bypass User Account Control (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Adobe (Company)
  • Outlook (Company)
  • Lenovo (Company)
  • Windows (Platform)
  • 02048121fd0b3a51751ce7677155aa8818eba9d8ce67ea26fd1d7f43cfcdabd2 (Sha256)
  • 22f335a65c479c26019f6187dae290624117c82a702a96acbb04fa325f730d3e (Sha256)
  • 3aae5a24e63f3cb1ca4759b9e4ee8e503ff139189423f5fd8cc923c6819697ca (Sha256)
  • 3b6cb20891bce8602ce669187754871e402a1782031ef8b032cd007e3894bc5d (Sha256)
  • 611db3195d55e871dce67ce5c41e894bbaab88dd0d019af68f5a259f0108aef7 (Sha256)
  • 6a69ea2ce3fea0ebfd7a32a1dfc4251bd4d7d8a4fbd44aaa47b82290d0414a9f (Sha256)
  • 6c700ca4e6d917c7aa9d964e98604a0349d9b8b4673df96a3f73a3d2d042635a (Sha256)
  • 8b283c954d19a839a724961ccaf025c56988c4e745acb2d31a15a006cda072bf (Sha256)
  • 8c0871cd0f60bc603424e948a689945a1828d0bef926a6470ae18cf17d93f7cb (Sha256)
  • acf5ed6e5bb90c44683938f35efeca551428064cdedbbaab8be69e3474fb806f (Sha256)
  • cf731b82c471211938b210ae8a6dcc7ece4f44371e716f056fa05151a9910727 (Sha256)
  • d5e42104292513232d26ad7d9d317b5c779577da43e28fe27f8c2fb9318b0e8e (Sha256)
  • d78f64551d1b31a31e5998e442f0debd458e011e05019b3951d9ddde997f8384 (Sha256)
  • db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622 (Sha256)
  • eaff006ac0eb7f7fe4db5fc6a4b5b1dc272d83ced66d510dcea185b1278bb453 (Sha256)
  • f72a8b71f12eaab6518873f72ea4be4572d9f3fb8e8706ade3b9a7314f236f22 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed