Executive Summary
DOOMMAGEDDON has ramped up operations in July 2026, specifically targeting the Healthcare sector. Intelligence confirms the group is actively exploiting high-severity vulnerabilities in perimeter security appliances (Check Point, Cisco) and remote management tools (ConnectWise ScreenConnect) to gain initial access. The recent victim, Hospital Di Camp, indicates a shift toward high-value, time-sensitive targets where patient care continuity pressures negotiation.
Threat Actor Profile — DOOMMAGEDDON
- Known Aliases: None confirmed (appears to be a closed group or a rebrand of a sophisticated operator).
- Operational Model: Closed-group operation with high technical capability. They exhibit advanced knowledge of enterprise perimeter defenses, leveraging CVEs that bypass MFA or require no authentication.
- Typical Ransom Demands: Estimated $2M - $5M USD based on healthcare targeting patterns; demands escalate if data is published.
- Initial Access Methods: Primarily external remote services (VPN vulnerabilities, Firewall Management Console exploits) and exploitation of remote access software (ScreenConnect).
- Extortion Strategy: Double extortion. They exfiltrate patient data (PHI/PII) and operational documents before encryption, threatening leaks to the dark web.
- Average Dwell Time: Estimated 3–7 days. The group moves quickly from initial exploitation (CVE) to lateral movement, suggesting automated tooling or pre-staged access.
Current Campaign Analysis
Targeted Sectors
The campaign is heavily skewed towards Healthcare. This sector is often targeted due to legacy infrastructure, the criticality of uptime, and the high value of Protected Health Information (PHI).
Geographic Concentration
While the group claims "multiple countries," the recent posting of Hospital Di Camp suggests a broad net cast across regions with healthcare infrastructure utilizing Check Point or Cisco perimeter defenses.
Victim Profile
The victim profile includes medium-to-large healthcare providers (hospitals, clinics) likely running enterprise-grade firewalls and remote access solutions for third-party vendors or IT administration.
Observed Posting Frequency
Low volume, high impact. Posting only 1 victim in the last 100 listings suggests a "big game hunting" strategy rather than indiscriminate automated spraying.
CVE Exploitation & Attack Vector
DOOMMAGEDDON is chaining recent CISA KEV vulnerabilities:
- Initial Access:
- CVE-2026-50751 (Check Point Security Gateway): Exploiting IKEv1 to bypass authentication on VPN/Perimeter gateways.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization flaws allowing remote code execution on management consoles.
- Lateral Access:
- CVE-2024-1708 (ConnectWise ScreenConnect): Path traversal to execute arbitrary code on remote support tools often left exposed.
- Internal Spread:
- CVE-2023-21529 (Microsoft Exchange): Used for internal persistence or credential harvesting.
Detection Engineering
The following detection rules and hunt queries are designed to identify the specific TTPs associated with DOOMMAGEDDON's exploitation of perimeter and remote access vulnerabilities.
SIGMA Rules
title: Potential Check Point Security Gateway IKEv1 Exploitation (CVE-2026-50751)
id: 8a9c2d1e-5f6b-4a7c-8e9d-1f2b3c4d5e6f
status: experimental
description: Detects potential exploitation of Check Point Security Gateway IKEv1 improper authentication vulnerability observed in DOOMMAGEDDON campaigns.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Intelligence
date: 2026/07/12
tags:
- cve.2026.50751
- attack.initial_access
- attack.t1190
logsource:
category: network
detection:
selection:
destination.port: 500
protocol: udp
source.ip:
- '0.0.0.0/0'
filter:
destination.ip:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter
falsepositives:
- Legitimate VPN connections from unknown IPs
level: high
---
title: ConnectWise ScreenConnect Path Traversal Exploitation Attempt (CVE-2024-1708)
id: b7f3e9a2-6c4d-8e1b-0a2f-3c4d5e6f7a8b
status: experimental
description: Detects suspicious URI patterns associated with CVE-2024-1708 exploitation on ConnectWise ScreenConnect servers.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Intelligence
date: 2026/07/12
tags:
- cve.2024.1708
- attack.initial_access
- attack.t1190
logsource:
category: web
detection:
selection_uri:
uri|contains:
- '/Bin?'
- '..%2f'
- '..\\'
selection_host:
host|contains:
- 'screenconnect'
- 'connectwise'
condition: all of selection_*
falsepositives:
- Potential scanning noise
level: critical
---
title: Microsoft Exchange Deserialization Anomaly (CVE-2023-21529)
id: c1d2e3f4-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects suspicious serialization formats often used in Microsoft Exchange deserialization attacks.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Intelligence
date: 2026/07/12
tags:
- cve.2023.21529
- attack.initial_access
- attack.t1190
logsource:
product: windows
service: exchange
detection:
selection:
EventID: 4103 # PowerShell Script Block Logging often captures these
ScriptBlock|contains:
- 'System.Runtime.Serialization.Formatters.Binary'
- 'ObjectStateFormatter'
- 'LosFormatter'
condition: selection
falsepositives:
- Administrative Exchange management scripts
level: high
KQL (Microsoft Sentinel)
Hunt for lateral movement and data staging typically following the initial exploitation of remote access tools.
// Hunt for lateral movement using PsExec/WMI and potential data exfil to unusual IPs
let TimeFrame = ago(7d);
let ProcessCreation = imProcessCreation
| where Timestamp > TimeFrame
| where InitiatingProcessFileName in ('psexec.exe', 'psexec64.exe', 'wmic.exe', 'powershell.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine;
let NetworkConnections = DeviceNetworkEvents
| where Timestamp > TimeFrame
| where RemotePort in (443, 445, 80)
| summarize arg_max(Timestamp, *) by DeviceId, RemoteIP
| project Timestamp, DeviceName, RemoteIP, RemoteUrl;
ProcessCreation
| join kind=inner NetworkConnections on DeviceName
| where Timestamp between ((NetworkConnections_Timestamp - 5m) .. (NetworkConnections_Timestamp + 5m))
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, RemoteIP
Rapid Response Script (PowerShell)
Execute on critical servers and workstations to check for ransomware precursors like Shadow Copy deletion and unusual scheduled tasks.
<#
.SYNOPSIS
DOOMMAGEDDON Ransomware Hardening & Triage Script
.DESCRIPTION
Checks for Volume Shadow Copy manipulation and recent scheduled tasks used for persistence.
#>
Write-Host "[+] Checking Volume Shadow Copy Status..." -ForegroundColor Cyan
$vss = vssadmin list shadows 2>&1
if ($vss -match "No shadows found") {
Write-Host "[!] ALERT: No Volume Shadow Copies found. Potential deletion event." -ForegroundColor Red
} else {
Write-Host "[OK] Shadow Copies exist." -ForegroundColor Green
}
Write-Host "\n[+] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
$dateCutoff = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff }
if ($suspiciousTasks) {
Write-Host "[!] ALERT: Recently created tasks detected:" -ForegroundColor Red
$suspiciousTasks | Format-Table TaskName, Date, Author -AutoSize
} else {
Write-Host "[OK] No recent suspicious scheduled tasks found." -ForegroundColor Green
}
Write-Host "\n[+] Checking for Open RDP Sessions..." -ForegroundColor Cyan
$query = "qprocess" *>&1
if ($query -match "rdp-tcp") {
Write-Host "[!] ALERT: Active RDP sessions found." -ForegroundColor Yellow
} else {
Write-Host "[OK] No active RDP sessions." -ForegroundColor Green
}
---
Incident Response Priorities
T-minus Detection Checklist
- Perimeter Logs: Immediately review Check Point and Cisco FMC logs for spikes in IKEv1 traffic or authentication bypass attempts on management ports (443, 8443).
- Remote Access Logs: Audit ScreenConnect logs for path traversal attempts (
/Bin?,..%2f). - Exchange EWS: Monitor for high-volume EWS usage or PowerShell deserialization events.
Critical Assets for Exfiltration
- EMR / EHR Databases: Targeted for maximum leverage.
- Finance & Billing: For immediate financial extortion.
- HR Records: PII for secondary fraud or double-extortion leverage.
Containment Actions
- Isolate: Disconnect Check Point and Cisco FMC management interfaces from the internet immediately.
- Disable: Turn off ScreenConnect/ConnectWise services globally until patched.
- Credential Reset: Force reset of all admin credentials for perimeter devices and domain admins.
Hardening Recommendations
Immediate (24h)
- Patch CVE-2026-50751: Apply Check Point hotfix immediately. If patching is delayed, disable IKEv1 on the VPN gateway.
- Patch CVE-2026-20131: Update Cisco Secure Firewall FMC to the latest patched version.
- Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the fixed version immediately or block external access.
Short-term (2 weeks)
- Network Segmentation: Ensure that VPN access and remote management tools are on a separate VLAN from the core clinical and EMR networks.
- MFA Enforcement: Enforce FIDO2 or phishing-resistant MFA for all management consoles (Firewall, ScreenConnect, Exchange OWA).
- Audit External Attack Surface: Conduct a scan to ensure no management interfaces are exposed to the public internet.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.