Back to Intelligence

FULCRUMSEC Campaign: Exchange & SmarterMail Exploits Drive Surge in US Tech & Healthcare Sector Attacks

SA
Security Arsenal Team
May 4, 2026
6 min read

Threat Actor Profile — FULCRUMSEC

FULCRUMSEC is a recently emerged ransomware-as-a-service (RaaS) operation exhibiting sophisticated capabilities in exploiting internet-facing infrastructure. Unlike gangs relying primarily on phishing, FULCRUMSEC demonstrates a strong preference for leveraging specific CVEs in critical edge infrastructure like Email Servers and Firewalls to gain initial access.

  • Model: RaaS with an affiliate network focusing on high-value targets in developed economies.
  • Ransom Demands: Variable, typically ranging from $500k to $5M depending on victim revenue, often escalating rapidly if negotiations stall.
  • Initial Access: Primarily exploits vulnerabilities in public-facing assets (Microsoft Exchange, SmarterMail, Cisco FMC). They are currently pivoting to newly disclosed CVEs (2025-2026 timeframe) before patches are widely applied.
  • Tactics: Aggressive double extortion. They exfiltrate sensitive data (PII, IP, financial records) before encryption begins.
  • Dwell Time: Short. The group moves from initial exploit to encryption in under 72 hours, reducing the defender's window for detection.

Current Campaign Analysis

Based on live data harvested from FULCRUMSEC's dark web leak site on 2026-05-04:

  • Targeted Sectors: The current campaign shows a massive skew towards Technology and Healthcare. Notable victims include Avnet and LexisNexis, indicating a shift towards enterprise-grade data-rich environments. The attack on Lena Health and Woundtech confirms a concurrent sub-campaign focused on the healthcare sector, likely due to the high value of PHI and lower tolerance for downtime.
  • Geographic Concentration: The United States is the primary target, accounting for 12 of the 16 recent victims listed (75%). Secondary targets include Mexico (MX), India (IN), Germany (DE), and Colombia (CO), suggesting a broad but US-centric affiliate base.
  • Victim Profile: Targeting ranges from mid-market business services (Rotary Club, Interzero) to large-cap technology and financial entities (Avnet, MCO). This suggests the affiliates are capable of scaling their operations based on the victim's breachability.
  • CVE Correlation: The inclusion of CVE-2025-52691 (SmarterMail File Upload) and CVE-2026-23760 (SmarterMail Auth Bypass) correlates strongly with victims utilizing hosted email solutions. The targeting of LexisNexis and Avnet may also involve exploitation of CVE-2023-21529 (Microsoft Exchange) to bypass perimeter defenses.
  • Frequency: The group posted 16 victims between May 1st and May 4th, indicating a high velocity of operations.

Detection Engineering

The following detection logic is tailored to FULCRUMSEC's observed exploitation of mail servers and lateral movement techniques.

YAML
---
title: Potential SmarterMail Unrestricted File Upload (CVE-2025-52691)
id: 9a5b8c3d-1e4f-4a2b-9c8d-0e1f2a3b4c5d
description: Detects suspicious file uploads to SmarterMail web roots, indicative of CVE-2025-52691 exploitation.
status: experimental
date: 2026/05/04
author: Security Arsenal
logsource:
    product: windows
    service: file
detection:
    selection:
        TargetFilename|contains: 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.config'
    condition: selection
falsepositives:
    - Legitimate administrative updates
level: critical
---
title: Exchange Server Deserialization Suspicious Process (CVE-2023-21529)
id: b4c6d8e0-2f5a-4b3c-8d9e-1f2a3b4c5d6e
description: Detects PowerShell execution spawned by Microsoft Exchange backend processes, a sign of deserialization exploits.
status: experimental
date: 2026/05/04
author: Security Arsenal
logsource:
    product: windows
    service: process_creation
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        ParentImage|contains: '\Microsoft\Exchange Server\'
        Image|endswith: '\powershell.exe'
    condition: selection
falsepositives:
    - Exchange Management Shell usage
level: high
---
title: FULCRUMSEC Lateral Movement via PsExec
id: c1d2e3f4-5a6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects the use of PsExec for lateral movement, a common post-exploitation tool for this gang.
status: experimental
date: 2026/05/04
author: Security Arsenal
logsource:
    product: windows
    service: process_creation
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains: 'accepteula'
    condition: selection
falsepositives:
    - System administration activity
level: medium


**KQL (Microsoft Sentinel) - Pre-Encryption Staging Hunt**

kql
DeviceProcessEvents
| where Timestamp > ago(3d)
| where ProcessCommandLine has_any("vssadmin", "wbadmin", "bcdedit", "wevtutil") or FileName has_any("rar.exe", "7z.exe", "winscp.exe")
| where InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc


**PowerShell - Rapid Response Hardening Check**

powershell
# FULCRUMSEC Hardening Script: Check for SmarterMail Indicators
# Run on Mail Servers

Write-Host "[*] Checking for SmarterMail Web Shell Indicators..."
$SmarterMailPath = "C:\Program Files (x86)\SmarterTools\SmarterMail\MRS"
if (Test-Path $SmarterMailPath) {
    $suspiciousFiles = Get-ChildItem -Path $SmarterMailPath -Recurse -Include *.aspx, *.ashx, *.config | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-48) }
    if ($suspiciousFiles) {
        Write-Host "[!] ALERT: Recently modified suspicious files found:" -ForegroundColor Red
        $suspiciousFiles | Select-Object FullName, LastWriteTime
    } else {
        Write-Host "[+] No recently modified suspicious files in MRS directory." -ForegroundColor Green
    }
} else {
    Write-Host "[-] SmarterMail path not found."
}

Write-Host "[*] Auditing Scheduled Tasks for persistence..."
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-2) -and $_.Author -notlike "*Microsoft*" -and $_.Author -notlike "*SYSTEM*" } | Select-Object TaskName, Author, Date

Incident Response Priorities

T-Minus Detection Checklist

  1. IIS/Mail Server Logs: Review SmarterMail and Exchange HTTP logs for anomalous POST requests to /MRS/ or /api/ endpoints containing serialized data.
  2. Shadow Copy Status: Query vssadmin list shadows. FULCRUMSEC aggressively deletes shadow copies using vssadmin delete shadows /all /quiet immediately before encryption.
  3. Firewall Logs: Inspect logs for successful VPN or RDP logins originating from unusual geolocations, specifically correlating with the targeted countries listed (MX, IN, DE).

Critical Assets for Exfiltration

  • Healthcare: Patient databases (EHR/EMR), insurance claim data.
  • Technology: Source code repositories, intellectual property, customer keys.
  • Business Services: Financial records (tax docs, payroll), client legal contracts (e.g., LexisNexis data).

Containment Actions

  1. Isolate Mail Servers: Immediately disconnect suspected Exchange or SmarterMail servers from the network if web shell activity is detected.
  2. Disable Non-Admin RDP: Force disable RDP on all workstations via GPO; require VPN with MFA for admin access only.
  3. Reset Service Account Credentials: Force password resets for accounts used to run Exchange/SmarterMail services and service accounts with local admin rights.

Hardening Recommendations

Immediate (24 Hours)

  • Patch CVE-2025-52691 & CVE-2026-23760: If running SmarterMail, apply the vendor patch immediately or restrict access to the /MRS directory to internal IP ranges only.
  • Patch CVE-2023-21529: Ensure all Microsoft Exchange servers are patched against the deserialization vulnerability.
  • Block External RDP: Ensure network firewalls block TCP/3389 and TCP/445 from the internet.

Short-term (2 Weeks)

  • Web Application Firewall (WAF): Implement strict WAF rules for mail server front-ends to block deserialization attack patterns.
  • Network Segmentation: Move mail servers and critical database servers to isolated VLANs, restricting lateral movement from DMZs to the internal LAN.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwareexchange-serverhealthcarecve-2023-21529smartermail

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action