VYPR
breachPublished Jun 3, 2026· Updated Jun 4, 2026· 4 sources

Monthslong Email Espionage Campaign Targets Global Stock Exchange Executive

A sophisticated threat actor maintained prolonged access to a global stock exchange executive's email for at least five months, leveraging legitimate Windows tools for stealthy data exfiltration.

An unknown threat actor successfully infiltrated the email account of a senior executive at an unnamed global stock exchange, maintaining persistent access for at least five months. The campaign, which ran from August 2025 through February 2026, allowed the attacker near-continuous visibility into sensitive communications, potentially compromising valuable market intelligence.

Researchers from Symantec and Carbon Black uncovered the sophisticated operation, noting that by the time defenders became aware of the intrusion, the attacker had already achieved complete administrative access. The initial signs of activity, observed around October 2025, suggested lateral movement from a previously compromised device. At this stage, the attacker had deployed two implants with system privileges, disguised as Adobe software and OneDrive, with one set to run as a scheduled task every five minutes for persistence.

The campaign escalated in November 2025 when the threat actor established a command-and-control (C2) channel using Dropbox, aiming to blend malicious traffic with legitimate network activity. This phase involved registering a new scheduled task for batch files, branded as a Lenovo system health check, demonstrating an intimate knowledge of the target's system. A custom infostealer, built using a legitimate .NET library from Aspose, was then deployed to convert emails into local files for exfiltration.

The attacker meticulously exfiltrated the target's entire email inbox in batches roughly every two to four weeks between August and mid-November 2025. This pattern continued until February 17, 2026, after which the attacker remained active on the system for another month, deploying new backdoors before their activity ceased around March 19, 2026.

The specific initial access vector remains undisclosed, leaving many questions about how the attacker first breached the network. However, the sustained and stealthy nature of the operation highlights a significant security lapse, particularly concerning the protection of high-value executive accounts.

While the attackers demonstrated considerable sophistication and patience, researchers emphasized that such campaigns are not unstoppable. Organizations can implement measures like Cloud Access Security Brokers (CASB) and Data Loss Prevention (DLP) solutions to detect and prevent data exfiltration to cloud services. Furthermore, actively monitoring and responding to alerts generated by Endpoint Detection and Response (EDR) software could have halted the attack earlier.

The intelligence gained from such prolonged access to a financial exchange executive's communications could be immensely valuable to competitors, investors, or state-sponsored actors. Information regarding listings, enforcement actions, and market-moving events could provide significant financial or strategic advantages.

This incident underscores the critical need for robust security measures tailored to protect executive-level access and sensitive corporate communications. The use of legitimate tools and techniques for persistence and exfiltration demonstrates the evolving tactics of sophisticated threat actors.

This new report from SecurityWeek provides additional details on the espionage operation targeting a global stock exchange executive. While the previous report mentioned the prolonged access and data exfiltration, this article highlights that the attackers maintained access for approximately 150 days, from October 2025 to March 2026. It also notes that the initial access vector remains unknown, but malware was observed disguised as legitimate Adobe and OneDrive applications.

This new report details the technical execution of the espionage campaign, revealing that the attackers utilized a legitimate .NET library, Aspose, to read Outlook OST and PST files. The stolen data was exfiltrated in small, repeated batches over five months, disguised by routing traffic through Dropbox and OneDrive and employing scheduled tasks that mimicked legitimate system services to evade detection.

This new report details the specific technical methods employed during the five-month espionage campaign against the stock exchange executive. Attackers utilized the legitimate Aspose .NET library to convert Outlook data files and exfiltrated emails via Dropbox and OneDrive, employing hard-coded IP addresses for OneDrive to bypass DNS filtering. Initial access involved masquerading binaries as Adobe and OneDrive components, establishing persistence through scheduled tasks, and the campaign continued to evolve with new DLLs and binaries deployed as late as March 2026.

Synthesized by Vypr AI