Global Stock Exchange Hit by Monthslong Email Campaign
Dark ReadingArchived Jun 03, 2026✓ Full text saved
A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
СLOUD SECURITY
THREAT INTELLIGENCE
CYBER RISK
NEWS
Global Stock Exchange Hit by Monthslong Email Campaign
A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools.
Nate Nelson,Contributing Writer
June 3, 2026
3 Min Read
SOURCE: NAGELESTOCK.NET VIA ALAMY STOCK PHOTO
An unknown hacker or hackers managed to spy on a senior member of an unnamed global stock exchange for at least five months.
Lots of questions still surround an email spying campaign reported by Symantec and Carbon Black this week, like who was behind it and how they obtained initial access. What's clear is that some threat actor subtly, meticulously crept into a high-ranking finance executive's Microsoft Outlook mailbox and siphoned off months' worth of emails.
Those emails likely contained intimate information about the target's organization, from contacts and calendar events to the details of specific business deals. Considering the nature of the target's organization — a major financial exchange — that intelligence could have been of significant value to businesses, investors, or a foreign government.
"Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions, and market-moving events," the researchers wrote in a blog post. "Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target's working life and the organization's near-term direction."
Related:DriveSurge Hijacks Thousands of Sites for ClickFix, FakeUpdate Attacks
Exchange Executive's Email Espionage
Cybersecurity researchers often uncover malware or malicious behaviors designed to be stealthy. Though these cases usually are novel and interesting, they're typically failures to some degree, since, if they were really stealthy, they'd have never ended up in a research report.
It may be a testament to the threat actor in this story that by the time cyber defenders realized something was afoot, the actor had already broken into their target's system and gained complete administrative access.
We still don't know how they managed to do all that. The recorded part of the story began later, Oct. 10, 2025. Marc Elias, threat intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, recalls, "The first signs of activity we observed on the machine likely stemmed from lateral movement originating from a previously compromised device." By that point the attacker was already running two implants on the host machine, both with system privileges. One was designed to look like Adobe software, and the other OneDrive. For the sake of persistence, the former was registered as a scheduled task set to run every five minutes.
The initial bricklaying phase of the campaign concluded a month later. On Nov. 12, 2025, the attacker or attackers set up a command-and-control (C2) channel via Dropbox, so that their malicious exfiltrations might appear like legitimate network traffic. They registered a new scheduled task for running batch files, branded as an ordinary Lenovo system health check — the Lenovo bit demonstrating an intimate knowledge of their target's machine — and then deployed a custom infostealer.
Related:BTMOB RAT Spreads Across Brazil, LatAm via MaaS Model
The infostealer was built on a legitimate .NET library from Aspose. Aspose is a company that specializes in application programming interfaces (APIs) that help developers create, edit, and convert file formats. The threat actor used the legitimate tool to convert the target's emails into local files, for exfiltration via Dropbox.
Lessons From a Highly Targeted Attack
The threat actor exfiltrated all the victim's emails between August and mid-November 2025. Then they repeatedly stole the target's entire email inbox roughly every two to four weeks, at least until Feb. 17, 2026. The exfiltration ended at that point, for whatever reason, though the attacker seems to have tinkered around for another month.
"Following that last exfiltration event, the attackers dropped new backdoors, which constitutes the final activity we observed on the machine on March 19. We assume the operators lost access to the device after that date, as no further malicious activity was detected," Elias says.
Related:Ransomware Actors Show Up In Person to Steal Law Firm Data
Though the attackers were meticulous, sophisticated in their tactics, and patient, they were far from unstoppable. Elias points out that there are a number of steps high-value targets can take to protect themselves from similar attacks.
"The organization could have detected and prevented the data exfiltration to cloud services by utilizing a cloud access security broker (CASB) and data loss prevention (DLP) solution," he argues. "They could have halted the attack earlier by actively reviewing and responding to the alerts generated by their endpoint detection and response (EDR) software."
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS