Stock Exchange Executive’s Outlook Targeted in Credential Theft Attack

A prolonged (Oct 2025–Mar 2026) targeted espionage campaign compromised a senior stock-exchange executive’s Outlook mailbox, achieving SYSTEM-level execution and persistent access via masquerading binaries and scheduled tasks. Attackers used a custom Aspose.NET-based mailbox extraction tool (multiple randomized filenames sharing SHA256 db59813e3f27...) to convert OST to PST and incrementally harvest emails, exfiltrating data primarily through Dropbox and OneDrive (including direct Microsoft IP connections to evade DNS). The report lists numerous file and DLL hashes, describes evolving persistence (e.g., onedrivesync.exe, armdriver.exe, te.host.dll) and recommends treating the included hashes and behaviors as IOCs for detection and hunting.