Aspose
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Collection
3 techniquesThe attacker... deployed the main tool: a mailbox stealer built on Aspose, a legitimate .NET library that reads Outlook OST and PST files.
"The threat actor used the legitimate tool to convert the target's emails into local files, for exfiltration via Dropbox."
Wrapped in an executable, it converted the mailbox to PST and wrote it to disk, run each time with a password and a date-range flag.
Exfiltration
1 technique"The threat actor used the legitimate tool to convert the target's emails into local files, for exfiltration via Dropbox."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Used as the core of an OST mailbox theft tool to read and convert Outlook offline storage files for staged exfiltration of the victim’s mailbox.
A custom mailbox-stealing tool built around the legitimate Aspose .NET library to parse Outlook OST/PST files, convert OST mailboxes into PST archives, and exfiltrate mailbox contents incrementally over time.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.