Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Target Global Stock Exchange in Espionage Operation

The attackers had access to a senior executive’s email account for 150 days and exfiltrated data for months.

Stock Exchange hack

Hackers gained access to the email account of a senior executive at a major global stock exchange and exfiltrated data for months.

The attack, investigated by Broadcom’s Symantec and Carbon Black threat-hunting team, began in October 2025, and the threat actor retained access to the compromised Outlook mailbox until March 2026. The security experts estimate that the dwell time was roughly 150 days.

The goal of the operation was most likely espionage, but Symantec and Carbon Black did not share any information about who may have been behind the attack or which stock exchange was targeted.

“For an espionage actor, a senior executive’s mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive’s calendar, travel pattern, and their contacts,” the researchers said. 

“Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions and market-moving events. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target’s working life and the organization’s near-term direction without ever having to move laterally elsewhere on the network,” they added.

The initial access vector remains unknown, but the first signs of malicious activity were seen on October 10, 2025, when malware had already been running on the compromised host, disguised as Adobe and OneDrive applications. 

Advertisement. Scroll to continue reading.

Command-and-control (C&C) channels were established on November 12, when the attacker also began collecting and exfiltrating data. 

To avoid raising suspicion, they used Dropbox and OneDrive to exfiltrate files, transferring only small batches at a time.

“The cumulative effect over the five months observed is a complete, near-continuous theft of the user’s Outlook mailbox, broken into incremental archives small enough not to draw attention from security software,” the researchers explained. 

The attacker continuously worked on persistence, regularly re-registering tasks disguised as Adobe, Lenovo, and OneDrive system services to maintain access. 

Symantec and Carbon Black made indicators of compromise (IoCs) available to help other organizations detect potential attacks. 

Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

Related: Sophisticated Deep#Door Backdoor Enables Espionage, Disruption

Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.