CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

Global Stock Exchange Hit by Monthslong Email Campaign

Dark Reading Archived Jun 03, 2026 ✓ Full text saved

A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES СLOUD SECURITY THREAT INTELLIGENCE CYBER RISK NEWS Global Stock Exchange Hit by Monthslong Email Campaign A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools. Nate Nelson,Contributing Writer June 3, 2026 3 Min Read SOURCE: NAGELESTOCK.NET VIA ALAMY STOCK PHOTO An unknown hacker or hackers managed to spy on a senior member of an unnamed global stock exchange for at least five months. Lots of questions still surround an email spying campaign reported by Symantec and Carbon Black this week, like who was behind it and how they obtained initial access. What's clear is that some threat actor subtly, meticulously crept into a high-ranking finance executive's Microsoft Outlook mailbox and siphoned off months' worth of emails. Those emails likely contained intimate information about the target's organization, from contacts and calendar events to the details of specific business deals. Considering the nature of the target's organization — a major financial exchange — that intelligence could have been of significant value to businesses, investors, or a foreign government. "Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions, and market-moving events," the researchers wrote in a blog post. "Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target's working life and the organization's near-term direction." Related:DriveSurge Hijacks Thousands of Sites for ClickFix, FakeUpdate Attacks Exchange Executive's Email Espionage Cybersecurity researchers often uncover malware or malicious behaviors designed to be stealthy. Though these cases usually are novel and interesting, they're typically failures to some degree, since, if they were really stealthy, they'd have never ended up in a research report. It may be a testament to the threat actor in this story that by the time cyber defenders realized something was afoot, the actor had already broken into their target's system and gained complete administrative access. We still don't know how they managed to do all that. The recorded part of the story began later, Oct. 10, 2025. Marc Elias, threat intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, recalls, "The first signs of activity we observed on the machine likely stemmed from lateral movement originating from a previously compromised device." By that point the attacker was already running two implants on the host machine, both with system privileges. One was designed to look like Adobe software, and the other OneDrive. For the sake of persistence, the former was registered as a scheduled task set to run every five minutes. The initial bricklaying phase of the campaign concluded a month later. On Nov. 12, 2025, the attacker or attackers set up a command-and-control (C2) channel via Dropbox, so that their malicious exfiltrations might appear like legitimate network traffic. They registered a new scheduled task for running batch files, branded as an ordinary Lenovo system health check — the Lenovo bit demonstrating an intimate knowledge of their target's machine — and then deployed a custom infostealer. Related:BTMOB RAT Spreads Across Brazil, LatAm via MaaS Model The infostealer was built on a legitimate .NET library from Aspose. Aspose is a company that specializes in application programming interfaces (APIs) that help developers create, edit, and convert file formats. The threat actor used the legitimate tool to convert the target's emails into local files, for exfiltration via Dropbox. Lessons From a Highly Targeted Attack The threat actor exfiltrated all the victim's emails between August and mid-November 2025. Then they repeatedly stole the target's entire email inbox roughly every two to four weeks, at least until Feb. 17, 2026. The exfiltration ended at that point, for whatever reason, though the attacker seems to have tinkered around for another month. "Following that last exfiltration event, the attackers dropped new backdoors, which constitutes the final activity we observed on the machine on March 19. We assume the operators lost access to the device after that date, as no further malicious activity was detected," Elias says. Related:Ransomware Actors Show Up In Person to Steal Law Firm Data Though the attackers were meticulous, sophisticated in their tactics, and patient, they were far from unstoppable. Elias points out that there are a number of steps high-value targets can take to protect themselves from similar attacks. "The organization could have detected and prevented the data exfiltration to cloud services by utilizing a cloud access security broker (CASB) and data loss prevention (DLP) solution," he argues. "They could have halted the attack earlier by actively reviewing and responding to the alerts generated by their endpoint detection and response (EDR) software." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗