Symantec: 5-month mailbox espionage vs global stock exchange; Aspose OST stealer, Dropbox/OneDrive exfil

Broadcom's Symantec and Carbon Black documented a targeted espionage operation (Oct 2025–Mar 2026) against a senior executive at an unnamed global stock exchange (Broadcom/Symantec, 2026-06-03 · SecurityWeek, 2026-06-03). The actor persisted with masqueraded binaries (armsvc.exe, oneservice.exe — T1036.005) and scheduled tasks, then ran a custom Aspose-based OST stealer to incrementally exfiltrate the target's entire Outlook mailbox in small batches via the Dropbox API and OneDrive Personal (T1114.001, T1567.002), deliberately using hard-coded Microsoft IP addresses instead of hostnames to defeat DNS-based detection. Tooling also included FRPC, SharpDecryptPwd and Secretsdump (T1003.001). No attribution is offered; the assessed motive is intelligence collection. Detection concepts: scheduled-task creation by non-SYSTEM processes (EID 4698 / Sysmon 12), .ost reads by processes other than Outlook.exe (Sysmon 11), and outbound HTTPS to Dropbox API endpoints from non-browser processes.

Symantec's Threat Hunter Team and Broadcom's Carbon Black published findings on 2026-05-12 documenting a Q1 2026 MuddyWater (a.k.a. Seedworm, Static Kitten, MERCURY, TEMP.Zagros — attributed to Iran's Ministry of Intelligence and Security) espionage campaign across at least nine organisations on four continents. The story re-surfaced this run via fresh aggregator coverage on 2026-05-26 (The Hacker News) — included in window on that basis. Named victim categories include industrial and electronics manufacturing, education and public-sector bodies, financial services, and an international airport in the Middle East (Symantec / Broadcom Threat Intelligence, 2026-05-12; The Hacker News, 2026-05-26; Industrial Cyber, 2026-05-13).

The differentiating TTPs from prior MuddyWater coverage are twofold. First, DLL side-loading via two pairs of legitimately signed third-party binaries: Fortemedia audio-driver binary fmapp.exe side-loading a malicious fmapp.dll; SentinelOne's sentinelmemoryscanner.exe side-loading a rogue sentinelagentcore.dll — abuse of a signed security-product binary specifically chosen to bypass signature-based detection. Both malicious DLLs embed ChromElevator, an open-source post-exploitation tool that bypasses Chromium App-Bound Encryption to extract passwords, cookies and payment-card data without triggering AV. Second, orchestration moved to Node.js: node.exe appears as a parent-process ancestor of cmd.exe before any operator commands — i.e. a Node.js script (not a human operator) drives the kill chain. PowerShell scripts pulled from a staging server perform discovery (T1087, T1482), screenshot capture, SAM-hive theft via VSS (T1003.002), and SOCKS5 reverse-proxy tunnelling (T1090.003). A credential harvester calls CredUIPromptForWindowsCredentialsW to display a Windows security dialogue and trick targets into entering credentials. A Kerberos TGT extractor via GSS-API was also observed.

Why it matters to us: signed-binary side-loading abusing a security-product binary is the highest-value evasion class — signature-based controls are bypassed by design. Detection: Sysmon EID 7 image-loads from fmapp.exe or sentinelmemoryscanner.exe outside their expected installation directories; alert on node.exe as a parent of cmd.exe or powershell.exe -enc in non-developer environments; flag CredUIPromptForWindowsCredentialsW calls from non-standard parents. Hardening: AppLocker / WDAC enforcing signed-and-known-path DLL loads; restrict node.exe execution to development OUs.

Background. Fast16 — a Lua-based sabotage framework — was first disclosed by SentinelOne at LABScon 2026 in April 2026 and originally framed as a Stuxnet predecessor by approximately two years. Earlier reporting also speculated that the malware operated against physical centrifuge equipment. Both framings now appear incorrect on closer expert review.

Broadcom's Symantec and Carbon Black teams published a technical analysis on 2026-05-18 documenting the framework's operating envelope and target selection (Broadcom Security, 2026-05-18; The Hacker News, 2026-05-18). The architecture: a service binary embedding an early Lua 5.0 VM; a boot-start filesystem driver intercepting executable code as it is read from disk; and a rule-driven hook engine rewriting specific instruction sequences inside narrowly targeted simulation applications. The hook engine selectively intercepts execution inside LS-DYNA and AUTODYN — the canonical high-explosive simulation codes used for weapons design — and activates only when the simulated material density exceeds 30 g/cm³, the threshold reachable only under implosion shock-compression conditions relevant to weapons-grade uranium. Kim Zetter's investigative analysis on 2026-05-16 separately corrected the historical framing of the campaign (Kim Zetter / ZERO DAY, 2026-05-16): Fast16 was contemporaneous with Stuxnet, not a predecessor, and was engineered to feed false output to weapons engineers rather than to physically alter nuclear infrastructure. Defender relevance is narrow but specific: Broadcom appears to describe the first publicly-documented use of a filesystem-driver-level instruction-rewriting hook engine to corrupt scientific-simulation output — a sabotage technique class distinct from data exfiltration, ransomware, or DoS. Operators of national-laboratory research-computing environments, defence-related HPC clusters, and reactor-physics-modelling labs should add filesystem-driver-load monitoring (Sysmon EID 6, Windows boot-start driver enumeration) and integrity checking of long-running simulation binaries to their threat models.