Skip to content

Espionage group infiltrates email account of stock exchange executive for five months

In a nutshell: An unknown espionage actor exfiltrated the complete email mailbox of a stock exchange executive over five months using disguised malware and cloud services without detection.

An unknown actor gained access to the Outlook mailbox of a senior executive at a global stock exchange for five months and sought information on stock listings and market-moving events. The attackers used consumer cloud services and fake system services to hide their activities from security software.

Cybercriminals infiltrated the email account of a top manager at an international stock exchange from October 2025 to March 2026. The joint threat analysis team of Symantec and Carbon Black (both Broadcom subsidiaries) investigated the case and documented an attacker dwell time of approximately 150 days. According to the investigation, malicious activities began on October 10, 2025, with malware installed on the host computer that disguised itself as legitimate Adobe and OneDrive applications. Command and control channels were not established until November 12, 2025, after which systematic data exfiltration began.

For CISOs and security officers, this incident is highly relevant as it demonstrates how targeted espionage groups exploit executive accounts as strategic intelligence sources. The mailbox of an executive at a stock exchange potentially contains non-public information about stock listings, enforcement actions, and market-moving events – data valuable for financial espionage. An attacker with months of access to such a mailbox does not merely obtain individual pieces of information, but gains a “nearly complete picture of the target individual’s work life” and the organization’s strategic direction.

The attackers employed sophisticated obfuscation techniques: datasets were deliberately exfiltrated in small packets via Dropbox and OneDrive to fall below the detection thresholds of security software. The cumulative effect over five months was an almost complete theft of the entire Outlook mailbox in gradually archived portions. Persistence was achieved through automated system tasks disguised as harmless services from Adobe, Lenovo, and OneDrive that withstood routine administrative checks.

The last documented activity was on March 19, 2026, when new backdoors were installed, after which the data stream ceased. The exact entry vector remains the subject of ongoing investigation; the identifying group and the affected stock exchange were not publicly disclosed in the report. However, Symantec and Carbon Black published technical indicators of compromise (IoCs) to warn other financial institutions and stock exchanges of similar attack patterns.


Source: www.it-daily.net · Published June 9, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: