Back to Intelligence

FULCRUMSEC Campaign Alert: Mass Exploitation of Mail & Firewall Flaws; 15 New US Victims

SA
Security Arsenal Team
May 2, 2026
6 min read

Intelligence Briefing Date: 2026-05-03
Source: Ransomware.live Leak Site Monitoring
Threat Level: CRITICAL (Active Exploitation)

Threat Actor Profile — FULCRUMSEC

  • Model: Operationally consistent with a RaaS (Ransomware-as-a-Service) affiliate model, though FULCRUMSEC maintains tight control over the leak site operation. High volume of postings (21 in last 100) suggests multiple affiliates or a highly automated attack pipeline.
  • Ransom Demands: Historically variable, ranging from $500k for mid-sized entities to multi-million dollar demands for large technology and financial firms (e.g., LexisNexis, Avnet).
  • Initial Access Vectors: Heavy reliance on internet-facing application vulnerabilities rather than phishing. Current activity indicates a shift towards exploiting unpatched email servers (SmarterMail, Exchange) and perimeter security appliances (Cisco FMC).
  • TTPs: Double extortion is standard. FULCRUMSEC operators typically dwell for 3–7 days, exfiltrating sensitive data via cloud storage tools before detonating encryption. They are known to use Cobalt Strike beacons for lateral movement and custom PowerShell scripts for Volume Shadow Copy deletion.

Current Campaign Analysis

Targeting Sectors

Based on the 15 victims posted on 2026-05-01, FULCRUMSEC is aggressively targeting:

  1. Technology: (Avnet, Hatica, ReFocus AI, Nordstern Technologies)
  2. Healthcare: (Lena Health, Woundtech)
  3. Business Services: (LexisNexis, Saleskido, Rotary Club, Interzero)

Geographic Focus

The campaign is heavily US-centric (11/15 recent victims), with significant secondary activity in India, Germany, and Mexico. This aligns with the high density of SmarterMail and Microsoft Exchange servers in North American markets.

Victim Profile

The victims range from large-cap public companies (Avnet) to mid-market niche tech firms. The inclusion of Rotary Club and IMEVI suggests that affiliates are conducting broad internet scanning for the specific CVEs listed below, compromising vulnerable assets regardless of strict revenue thresholds.

CVEs & Initial Access

The campaign coincides directly with the addition of specific vulnerabilities to the CISA Known Exploited Vulnerabilities (KEV) catalog in Q1 2026:

  • CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): Unrestricted file upload and authentication bypass. This is the likely vector for the Healthcare and Business Services victims relying on this mail platform.
  • CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability. Despite being older, its active exploitation surged in late April 2026 per FULCRUMSEC activity.
  • CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization vulnerability. Provides access to network perimeter configs, potentially explaining how they bypassed defenses at firms like Avnet.
  • CVE-2025-55182 (Meta React Server Components): RCE vulnerability. Likely used against the Technology sector victims (Hatica, ReFocus AI) utilizing modern React stacks.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential SmarterMail Exploitation CVE-2025-52691
description: Detects exploitation of SmarterMail unrestricted file upload vulnerability via web logs indicators.
id: 4f8c2a3b-9e1d-4a5f-b2c6-8d7e9f0a1b2c
status: experimental
date: 2026/05/03
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    product: webserver
detection:
    selection:
        c-uri|contains:
            - '/MailService.asmx'
            - '/Services/MailService.asmx'
        sc-status: 200
    filter:
        cs-method: 'POST'
    condition: selection and filter
falsepositives:
    - Legitimate administrative access
level: high
---
title: Microsoft Exchange Deserialization Exploit Attempt CVE-2023-21529
description: Detects suspicious process execution patterns associated with Exchange deserialization RCE.
id: 5d9e3b4c-0f2a-5e6d-1c8d-9e1f2a3b4c5d
status: experimental
date: 2026/05/03
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains: 'w3wp.exe'
        ParentProcessName|contains: 'Microsoft.Exchange.Management'
        CommandLine|contains:
            - 'System.Management.Automation'
            - 'Deserialize'
    condition: selection
falsepositives:
    - Legitimate Exchange management tasks
level: critical
---
title: FULCRUMSEC Lateral Movement via WMI
description: Detects potential lateral movement patterns used by FULCRUMSEC affiliates using WMI for execution.
id: 6e0f4c5d-1e3b-6f7e-2d9e-0f2a4b5c6d7e
status: experimental
date: 2026/05/03
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\wmiprvse.exe'
        ParentProcessName|endswith: '\svchost.exe'
    condition: selection
falsepositives:
    - Low (Administrative activity)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for SmarterMail and Exchange Web Shell Creation Patterns
// Focuses on file creation in web directories by worker processes
let TimeFrame = 1d;
DeviceFileEvents
| where Timestamp >= ago(TimeFrame)
| where InitiatingProcessFileName in ("w3wp.exe", "MailService.exe")
| where FolderPath has @"C:\inetpub\wwwroot" or FolderPath has @"C:\Program Files\SmarterTools"
| where FileName endswith ".aspx" or FileName endswith ".ashx"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath
| extend IOCS = FileName

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    FULCRUMSEC Response Script - Checks for Web Shells and VSS anomalies.
.DESCRIPTION
    This script scans IIS/SmarterMail directories for recently modified suspicious files
    and checks the status of Volume Shadow Copies (VSS).
#>

$WebRoots = @("C:\inetpub\wwwroot", "C:\Program Files\SmarterTools\SmarterMail")
$SuspiciousExtensions = @(".aspx", ".ashx", ".asp")
$CutoffDate = (Get-Date).AddDays(-1)

Write-Host "[+] Checking for recently modified web shells..." -ForegroundColor Cyan

foreach ($root in $WebRoots) {
    if (Test-Path $root) {
        Get-ChildItem -Path $root -Recurse -Include $SuspiciousExtensions -ErrorAction SilentlyContinue |
        Where-Object { $_.LastWriteTime -gt $CutoffDate } |
        Select-Object FullName, LastWriteTime, Length
    }
}

Write-Host "[+] Checking Volume Shadow Copy Status..." -ForegroundColor Cyan
try {
    $vss = Get-WmiObject -Class Win32_ShadowCopy -ErrorAction Stop
    if ($vss) {
        $vss | Select-Object VolumeName, InstallDate, @{N='Size(GB)';E={[math]::Round($_.UsedSpace/1GB, 2)}} | Format-Table
    } else {
        Write-Host "[!] No Shadow Copies found. Possible deletion event." -ForegroundColor Red
    }
} catch {
    Write-Host "[!] Error accessing VSS: $_" -ForegroundColor Red
}

Write-Host "[+] Checking for suspicious Scheduled Tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.State -eq 'Ready' -and $_.Author -eq '' } | Select-Object TaskName, TaskPath, Date


---

Incident Response Priorities

T-Minus Detection Checklist

  1. Web Server Logs: Immediate grep for POST requests to /MailService.asmx and Exchange OWA endpoints returning 200/500 status codes from IPs not in your allow-list.
  2. Process Anomalies: Hunt for w3wp.exe spawning cmd.exe or powershell.exe.
  3. Firewall Configs: Review Cisco FMC logs for unauthorized administrative changes or database exports (CVE-2026-20131).

Critical Assets at Risk

  • Patient Records (PHI): High exfiltration target for Healthcare victims (Lena Health, Woundtech).
  • IP & Legal Databases: Critical for Business Services victims (LexisNexis).
  • Source Code: Targeted for Technology victims (Hatica, ReFocus AI).

Containment Actions

  1. Isolate: Disconnect vulnerable Exchange and SmarterMail servers from the network immediately; do not power off (memory forensics needed).
  2. Revoke Credentials: Reset credentials for accounts with access to Cisco FMC and web server admin panels, assuming they are compromised.
  3. Block IPs: Block outbound traffic to known file-sharing infrastructure (Mega.nz, Dropbox) at the firewall level to stem exfiltration.

Hardening Recommendations

Immediate (24 Hours)

  • Patch: Apply patches for CVE-2025-52691 and CVE-2026-23760 (SmarterMail) and CVE-2026-20131 (Cisco FMC) immediately.
  • URL Blocking: Implement strict URL filtering on web gateways to block access to .onion sites and known TOR exit nodes.
  • MFA Enforcement: Enforce FIDO2-compliant MFA on all email server administrative interfaces and firewall management consoles.

Short-Term (2 Weeks)

  • Network Segmentation: Move email servers and management interfaces to a dedicated VLAN with strict egress rules.
  • Vulnerability Management: Initiate a scan specifically for deserialization vulnerabilities in .NET and Java applications (Meta React CVE-2025-55182).
  • EDR Expansion: Deploy EDR agents to edge appliances and web servers where coverage is often light.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsechealthcare-technologysmartermail-exploitcisa-kevransomware-intelligenceexchange-vulnerability

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action