Monthslong Email Espionage Campaign Targets Global Stock Exchange Executive
A sophisticated threat actor maintained prolonged access to a global stock exchange executive's email for at least five months, leveraging legitimate Windows tools for stealthy data exfiltration.
An unknown threat actor successfully infiltrated the email account of a senior executive at an unnamed global stock exchange, maintaining persistent access for at least five months. The campaign, which ran from August 2025 through February 2026, allowed the attacker near-continuous visibility into sensitive communications, potentially compromising valuable market intelligence.
Researchers from Symantec and Carbon Black uncovered the sophisticated operation, noting that by the time defenders became aware of the intrusion, the attacker had already achieved complete administrative access. The initial signs of activity, observed around October 2025, suggested lateral movement from a previously compromised device. At this stage, the attacker had deployed two implants with system privileges, disguised as Adobe software and OneDrive, with one set to run as a scheduled task every five minutes for persistence.
The campaign escalated in November 2025 when the threat actor established a command-and-control (C2) channel using Dropbox, aiming to blend malicious traffic with legitimate network activity. This phase involved registering a new scheduled task for batch files, branded as a Lenovo system health check, demonstrating an intimate knowledge of the target's system. A custom infostealer, built using a legitimate .NET library from Aspose, was then deployed to convert emails into local files for exfiltration.
The attacker meticulously exfiltrated the target's entire email inbox in batches roughly every two to four weeks between August and mid-November 2025. This pattern continued until February 17, 2026, after which the attacker remained active on the system for another month, deploying new backdoors before their activity ceased around March 19, 2026.
The specific initial access vector remains undisclosed, leaving many questions about how the attacker first breached the network. However, the sustained and stealthy nature of the operation highlights a significant security lapse, particularly concerning the protection of high-value executive accounts.
While the attackers demonstrated considerable sophistication and patience, researchers emphasized that such campaigns are not unstoppable. Organizations can implement measures like Cloud Access Security Brokers (CASB) and Data Loss Prevention (DLP) solutions to detect and prevent data exfiltration to cloud services. Furthermore, actively monitoring and responding to alerts generated by Endpoint Detection and Response (EDR) software could have halted the attack earlier.
The intelligence gained from such prolonged access to a financial exchange executive's communications could be immensely valuable to competitors, investors, or state-sponsored actors. Information regarding listings, enforcement actions, and market-moving events could provide significant financial or strategic advantages.
This incident underscores the critical need for robust security measures tailored to protect executive-level access and sensitive corporate communications. The use of legitimate tools and techniques for persistence and exfiltration demonstrates the evolving tactics of sophisticated threat actors.