Attack Chain

1. Lateral Movement: Initial observed activity on October 10, 2025, stemmed from lateral movement originating from a previously compromised device, indicating the attacker already had a foothold within the network.
2. Implant Deployment: Two implants were deployed to the compromised host, disguised as legitimate Adobe and OneDrive software, both executing with system privileges.
3. Persistence (Scheduled Task): The Adobe-like implant was registered as a scheduled task, configured to execute every five minutes to ensure continuous persistence on the compromised host.
4. Command and Control Setup: On November 12, 2025, the attackers established a command-and-control (C2) channel utilizing Dropbox, aiming for exfiltrated data to appear as legitimate cloud service traffic.
5. Enhanced Persistence & Execution: A new scheduled task was registered to execute batch files, meticulously disguised as an ordinary Lenovo system health check, demonstrating intimate knowledge of the target's machine.
6. Infostealer Deployment: A custom infostealer, built using a legitimate Aspose .NET library, was deployed to specifically target and collect the executive's emails.
7. Data Collection & Staging: The infostealer converted the target's emails into local files. The attacker initially siphoned all emails from August to mid-November 2025.
8. Exfiltration & Recurrent Collection: The collected email files were exfiltrated via the Dropbox C2 channel. The attacker repeatedly stole the entire email inbox every two to four weeks until February 17, 2026.

Impact

The prolonged access to a senior finance executive's email inbox at a global stock exchange resulted in the continuous exfiltration of highly sensitive, non-public information for at least five months. This included intimate details about the organization, contacts, calendar events, and specific business deals. Given the nature of a major financial exchange, this intelligence could hold significant value for competitive businesses, investors, or even foreign governments, potentially leading to market manipulation, corporate espionage, or severe financial losses for affected entities. The specific number of affected individuals is one executive, but the strategic value of the compromised information is substantial.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect suspicious scheduled task creation and process masquerading.
• Implement a Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) solution to monitor and prevent unauthorized data exfiltration to cloud services like Dropbox.
• Ensure Endpoint Detection and Response (EDR) software is actively monitoring for and generating alerts on suspicious process activity, and establish processes for prompt review and response to these alerts.
• Enable Sysmon logging for process creation (Event ID 1), scheduled task creation (Event ID 12, 13, 14, 21), and network connections (Event ID 3) to capture telemetry required by the detection rules.