Back to Intelligence

COINBASECARTEL Gang: Critical Infrastructure Attack Wave — CVE-Driven Access & Defensive Countermeasures

SA
Security Arsenal Team
April 18, 2026
6 min read

Threat Actor Profile — COINBASECARTEL

Aliases & Structure: COINBASECARTEL operates as a Ransomware-as-a-Service (RaaS) affiliate model, leveraging a name that implies a focus on financial disruption, though their targeting remains broad across sectors. The group is distinct for its high-frequency posting cadence and aggressive negotiation tactics.

Tactics & Procedures:

  • Ransom Demands: Typically range from $500,000 to $5 million USD, escalating rapidly if victims engage in public communication or delay negotiation.
  • Initial Access: Heavily reliant on exploiting internet-facing edge devices and vulnerabilities in remote access solutions. Recent intelligence confirms the active weaponization of zero-day and N-day vulnerabilities in Cisco, Citrix, and Fortinet products.
  • Double Extortion: Strict adherence to double extortion. The group exfiltrates sensitive data (PII, IP, financial records) to their leak site before encryption begins.
  • Dwell Time: Analysis of recent victims suggests a dwell time of 3–7 days, during which they perform extensive network reconnaissance and credential harvesting using tools like Cobalt Strike and custom PowerShell loaders.

Current Campaign Analysis

Sectors Under Fire: The campaign targeting the period of 2026-04-15 to 2026-04-18 shows a pivot toward Business Services (ASTM Group, McCuaig, Questivity) and Public Sector entities (Superintendency of territorial planning, Kemenpppa). However, critical infrastructure adjacent sectors like Construction (Wayne Brothers) and Manufacturing (GL Steel) remain consistent targets.

Geographic Spread: While the United States remains the primary target (Epoch Times, Wayne Brothers), the group has successfully expanded into France (Securitevolfeu), Malta (UOM University), Indonesia (Kemenpppa), and Japan. This suggests a global affiliate network with language capabilities to localize phishing and negotiation.

Victim Profile:

  • Size: Mid-market to large enterprises. Victims like ASTM Group (a large standards organization) and The Epoch Times indicate an ability to breach complex network perimeters.
  • Revenue Range: Estimated $50M - $1B+ annually based on the scale of operations for entities like ASTM and McCuaig Engineering.

Escalation Patterns: Posting frequency spiked on April 15 (10 victims) and April 18 (5 victims). This batched approach suggests coordinated encryption events or a “marketing” strategy to overwhelm victim security teams simultaneously.

CVE Correlation: There is a high-confidence correlation between the recent victim surge and the exploitation of CVE-2026-20131 (Cisco FMC) and CVE-2026-23760 (SmarterTools SmarterMail). Victims in the Technology and Business Services sectors often utilize these specific perimeter management and mail solutions, providing the initial foothold for COINBASECARTEL affiliates.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Cisco FMC Deserialization Exploit (CVE-2026-20131)
id: 4b3c8a9e-1f4a-4b9e-8c1d-2e4f6a8b0c1d
description: Detects potential exploitation attempts against Cisco Secure Firewall Management Center (FMC) involving deserialization anomalies or specific URI patterns associated with CVE-2026-20131.
status: experimental
date: 2026/04/19
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: '/api/fmc_config/v1/domain/'
    selection_exploit:
        sc-content|contains|re: '(\x00|\xff|aced0005)'
    condition: selection and selection_exploit
falsepositives:
    - Unknown
level: critical
---
title: SmarterMail Authentication Bypass Attempt (CVE-2026-23760)
id: 5d4e9b0f-2g5b-5c0f-9d2e-3f5g7b9c1d2e
description: Identifies suspicious authentication bypass attempts on SmarterMail servers utilizing alternate path or channel vulnerabilities.
status: experimental
date: 2026/04/19
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection_uri:
        c-uri|contains: '/Services/MailService.asmx'
    selection_method:
        c-method|contains: 'POST'
    selection_anomaly:
        cs-header|contains: 'X-Rewrite-Url'
    condition: selection_uri and selection_method and selection_anomaly
falsepositives:
    - Legitimate API integration testing
level: high
---
title: Ransomware Pre-Encryption Volume Shadow Copy Deletion
id: 6e5f0c1g-3h6c-6d1g-0e3f-4g6h0c2e3f4g
description: Detects commands used by ransomware operators, including COINBASECARTEL affiliates, to delete Volume Shadow Copies via vssadmin or wmic to prevent recovery.
status: experimental
date: 2026/04/19
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_
falsepositives:
    - System administration scripts (rare)
level: critical

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging associated with this group’s reliance on Cobalt Strike and PsExec.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "pwsh.exe") 
| where ProcessCommandLine has "psexec" or ProcessCommandLine has "wmic" or ProcessCommandLine has "net use" 
| where ProcessCommandLine has "\\" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath 
| sort by Timestamp desc

PowerShell — Rapid Response Hardening

This script checks for common indicators of compromise (IOCs) associated with COINBASECARTEL’s TTPs, specifically looking for recent Shadow Copy manipulation and suspicious scheduled tasks used for persistence.

PowerShell
<#
.SYNOPSIS
    CoinbaseCartel IOC Hunter
.DESCRIPTION
    Checks for VSS deletion events and suspicious scheduled tasks added in the last 7 days.
#>

Write-Host "[*] Hunting for CoinbaseCartel Indicators..." -ForegroundColor Cyan

# Check for VSS Deletion Events (Event ID 1 from VSS or Process Creation)
Write-Host "[+] Checking for Volume Shadow Copy Deletion attempts..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue | 
              Where-Object { $_.Message -match 'vssadmin.exe' -or $_.Message -match 'delete shadows' }
if ($vssEvents) { Write-Host "[ALERT] Found VSS deletion events!" -ForegroundColor Red; $vssEvents | Select-Object TimeCreated, Message } 
else { Write-Host "[OK] No immediate VSS deletion events found." -ForegroundColor Green }

# Check for recent Scheduled Tasks (often used for persistence)
Write-Host "[+] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($suspiciousTasks) { 
    Write-Host "[WARNING] Recent Scheduled Tasks found. Verify authorization." -ForegroundColor Red 
    $suspiciousTasks | Select-Object TaskName, Date, Author 
} 
else { Write-Host "[OK] No recent suspicious tasks." -ForegroundColor Green }

Incident Response Priorities

Based on the observed playbook of COINBASECARTEL, IR teams should prioritize the following:

  • T-Minus Detection Checklist:
    • Immediately: Inspect logs for successful authentications against Cisco Secure Firewall FMC and SmarterMail interfaces, specifically looking for successful logins from unfamiliar geographic regions (e.g., MT, ID, JP) if not expected by business.
    • Pre-Encryption: Hunt for large-scale file staging (e.g., >10GB transfers) to internal storage hosts prior to egress.
    • Credential Dumping: Look for procdump.exe or `rclone.exe**:
    • Human Resources databases (PII)
    • Financial systems (Accounting/ERP)
    • Intellectual Property / CAD files (Engineering/Construction)
  • Containment Actions:
    1. Disconnect: Isolate VPN and remote access gateways (Cisco/Fortinet) from the internal network if exploitation is suspected.
    2. Block: Block outbound traffic to known Tor nodes and file-sharing endpoints used by the gang (e.g., Mega.nz, specific IP ranges associated with leak site infrastructure).
    3. Reset: Force reset of service account credentials for email and firewall management interfaces immediately.

Hardening Recommendations

Immediate (24h) — Critical Actions:

  • Patch CVE-2026-20131 & CVE-2026-23760: Apply the vendor-supplied patches for Cisco FMC and SmarterMail immediately. If patching is not possible, disable external access to these management interfaces via VPN or allow-listing specific source IPs.
  • Audit VPN/Firewall Access: Revoke access for all non-essential administrative accounts on edge devices. Enforce MFA for all administrative logins.

Short-term (2 weeks) — Architecture Changes:

  • Network Segmentation: Ensure that management interfaces (FMC, Citrix ADC) reside in a dedicated management VLAN, strictly separated from user data and production servers.
  • Implement Zero Trust: Replace implicit trust in VPN connections with device posture checks and least-privilege access controls.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangcoinbasecartelransomwarecve-2026-20131business-servicesinitial-accesscisco-fmc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action