Espionage Campaign Targeted Stock Exchange Executive for Five Months
Espionage Campaign Targeted Stock Exchange Executive for Five Months
A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. Unknown attackers stole a senior executive’s Outlook mailbox in incremental batches, exfiltrating through Dropbox and OneDrive Personal to keep the traffic indistinguishable from legitimate activity. For an espionage actor, a senior executive’s mailbox is a high-value intelligence target. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target’s working life and the organization’s near-term direction without ever having to move laterally elsewhere on the network. 🚀
The attackers took multiple steps to try and conceal their activity. They used legitimate cloud services (Dropbox and OneDrive) for exfiltration and their command and control (C2) infrastructure. They also used a variety of public tools, and named tools and services to blend in with legitimate traffic. The use of public tools and cloud infrastructure means the attackers did not leave many clues to their identity, so this activity cannot be attributed to a known attack group. However, the commands used by the attackers do point to the motivation for this attack being espionage. 🔍
The initial infection vector used by the attackers in this incident is unknown. The first observed malicious activity on the targeted host was on October 10, 2025, by which point the attackers already had two masquerading binaries installed and running as SYSTEM. The first, armsvc.exe, was running from CSIDL_COMMON_APPDATA\adobe\arm\armsvc.exe. The second, oneservice.exe, was running from CSIDL_PROFILE\appdata\local\microsoft\onedrive\setup\oneservice.exe. Both binaries were spawned by wininit.exe under the service control manager, indicating the attackers had already achieved local privilege escalation. Persistence for the masquerading Adobe binary was registered as a five-minute scheduled task under a Microsoft Adobe themed name: schtasks /create /sc minute /mo 5 /rl highest /ru "system" /tn "\Microsoft\Windows\Adobe\ARM Service" /tr "CSIDL_COMMON_APPDATA\adobe\arm\armsvc.exe" /f. ⚠️
The intrusion moved into a more active phase on November 12, 2025. The attackers completed the OAuth handshake required to obtain a Dropbox API token, using a single registered Dropbox application. The same client_id and client_secret were reused across every Dropbox upload and download observed over the next five months. Shortly afterwards, the attackers built out the scheduled-task layer that would drive the rest of the campaign. A single recognizable task name was used throughout, masquerading as a Lenovo system-health check. One scheduled-task entry registered the same day directly hooked the Aspose-based OST stealer into this layer, naming the target user’s Outlook OST as the input and a date-range window as the argument: schtasks /create /sc minute /mo 300 /rl highest /ru "system" /tn "\Microsoft\Windows\Lenovo\CheckServerHealth" /tr "c:\windows\temp\Aspose.exe -p [REMOVED]\ -f C:\Users\[REMOVED]\AppData\Local\Microsoft\Outlook\[REMOVED] -o c:\windows\temp\ -t 20250819-20251112" /f. The attackers wrapped it in a standalone executable that converts an OST into a PST and writes the result to a chosen output directory. On the targeted host, the stealer was renamed using innocuous-looking temporary-file extensions, dropped into a series of Windows temp subfolders, and invoked repeatedly with the -p flag taking a password to unlock the OST and the -t flag specifying a date-range window. The three filename variants observed (ts_9ea0.tmp, ts_e0d5.tmp, ts_e2d5.tmp) share the same SHA256 hash (db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622), confirming the attackers were redeploying the same binary under different filenames. The first observed run on November 12 collected all mail from August 2025 onwards.