Back to Intelligence

FULCRUMSEC Gang: Aggressive US Healthcare & Tech Campaign — SmarterMail & Exchange Exploitation Analysis

SA
Security Arsenal Team
May 3, 2026
6 min read

Date: 2026-05-04
Source: Security Arsenal Dark Web Intelligence Unit
Threat Level: CRITICAL

Threat Actor Profile — FULCRUMSEC

  • Aliases: None confirmed (suspected evolution of the former "Twisted Spider" affiliate group).
  • Operational Model: Aggressive Ransomware-as-a-Service (RaaS) with high-volume affiliate operations.
  • Ransom Demands: Variable, typically ranging from $500k to $5M USD depending on victim revenue.
  • Initial Access Vectors: Heavy reliance on external-facing service exploits (Email gateways, Firewalls) rather than traditional phishing. Recent intelligence confirms weaponization of zero-days in Meta React and SmarterMail.
  • Extortion Strategy: Strict double-extortion model. Data is exfiltrated to dedicated cloud storage prior to encryption. Leak site ("Fulcrum Leaks") is updated daily if negotiations stall.
  • Dwell Time: Short (3–7 days). FULCRUMSEC affiliates move from initial exploit to encryption rapidly to minimize defender response windows.

Current Campaign Analysis

Sector & Geographic Targeting

Based on the 15+ victims posted on 2026-05-01, FULCRUMSEC has shifted focus to high-value data-rich verticals in the United States.

  • Top Sectors:
    • Healthcare (20%): Lena Health, Woundtech. (Targeting patient PHI/PII).
    • Technology (27%): Avnet, ReFocus AI, Hatica, Nordstern Technologies. (Targeting IP and source code).
    • Business Services (27%): LexisNexis, Interzero, Rotary Club. (Targeting corporate data).
  • Geographic Spread: 80% US-based, with secondary targets in Mexico (Nordstern), India (Saleskido), Germany (Interzero), and Colombia (IMEVI).

Vulnerability Correlation

The surge in postings correlates directly with the weaponization of recent CISA KEV-listed vulnerabilities:

  1. CVE-2025-52691 / CVE-2026-23760 (SmarterMail): Likely the primary vector for the Healthcare and Business Services victims. These organizations often rely on legacy mail gateways.
  2. CVE-2023-21529 (Microsoft Exchange): A perennial favorite for accessing Technology sector credentials.
  3. CVE-2026-20131 (Cisco Secure Firewall): Suggests perimeter breach capabilities for bypassing network defenses in larger enterprises like LexisNexis or Avnet.

Victim Profile

  • Size: Mid-Market to Enterprise. Victims like Avnet (Fortune 500) and LexisNexis indicate FULCRUMSEC affiliates can breach mature security postures.
  • Escalation: Posts are batched (15 victims in one day), suggesting an automated "site publishing" script is used by the gang to pressure multiple victims simultaneously.

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious SmarterMail File Upload Activity
id: b4a3c9d1-8e5f-4a2b-9c1d-8e5f4a2b9c1d
description: Detects potential exploitation of CVE-2025-52691 (SmarterMail Unrestricted Upload) via web logs.
status: experimental
date: 2026/05/04
author: Security Arsenal
logsource:
  product: webserver
detection:
  selection:
    cs-uri-query|contains:
      - 'Mainservice.asmx'
      - 'SaveDraft'
      - 'Attachments'
    cs-method: 'POST'
  filter:
    cs-uri-query|contains: 'normal' 
  condition: selection and not filter
falsepositives:
  - Legitimate high-volume email attachments
level: high
tags:
  - attack.initial_access
  - cve.2025.52691
  - fulcrumsec
---
title: Microsoft Exchange Deserialization Exploit Attempt
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects patterns associated with CVE-2023-21529 exploitation on Exchange Servers.
status: experimental
date: 2026/05/04
author: Security Arsenal
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5156 # The Windows Filtering Platform has allowed a connection.
    DestPort: 443
    DestIp|startswith:
      - '192.168.' # Internal IP of Exchange server, adjust as needed
    ProcessName|contains: 'w3wp.exe'
  condition: selection
falsepositives:
  - Normal Outlook on the web (OWA) traffic
level: medium
tags:
  - attack.initial_access
  - cve.2023.21529
  - fulcrumsec
---
title: Ransomware Data Staging Pattern (Mass 7z/Rar)
id: f9e8d7c6-b5a4-3e2d-1c0b-a9f8e7d6c5b4
description: Detects potential data staging prior to exfiltration common in FULCRUMSEC operations.
status: experimental
date: 2026/05/04
author: Security Arsenal
logsource:
  product: windows
  service: process_creation
detection:
  selection:
    Image|endswith:
      - '\7z.exe'
      - '\winrar.exe'
      - '\rar.exe'
    CommandLine|contains:
      - ' -m0'
      - ' -mt'
      - ' -hp' # Password protected archives
  condition: selection
falsepositives:
  - Admin backups
level: high
tags:
  - attack.collection
  - attack.exfiltration
  - fulcrumsec

KQL (Microsoft Sentinel)

Hunts for lateral movement and unusual SMB access often seen before detonation.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ('powershell.exe', 'cmd.exe', 'powershell_ise.exe')
| where ProcessCommandLine has 'New-Object' and ProcessCommandLine has 'System.Net.WebClient'
or ProcessCommandLine matches regex @'Invoke-(WebRequest|RestMethod).*-Credential'
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend FullHash = SHA256
| join kind=leftouter (DeviceFileCertificateInfo
| project Timestamp, SHA256, Signer, IsCertificateValid) on SHA256
| where Signer !contains 'Microsoft Corporation'

PowerShell: Rapid Response Hardening

Check for scheduled tasks created in the last 7 days, a common persistence mechanism for ransomware.

PowerShell
$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "Checking for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Yellow

Get-ScheduledTask | ForEach-Object {
    $TaskInfo = $_
    $Task = Get-ScheduledTaskInfo -TaskName $TaskInfo.TaskName -TaskPath $TaskInfo.TaskPath -ErrorAction SilentlyContinue
    
    if ($Task -and $Task.LastTaskTime -gt $DateCutoff) {
        Write-Host "[SUSPICIOUS] Task: $($TaskInfo.TaskName) | Path: $($TaskInfo.TaskPath) | Last Run: $($Task.LastTaskTime)" -ForegroundColor Red
        Write-Host "   Action: $($TaskInfo.Actions.Execute)" -ForegroundColor Gray
    }
}


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  1. Web Shell Scan: Immediately scan IIS/Apache logs on Exchange and Mail gateway servers for POST requests containing %3C or .aspx anomalies matching SmarterMail paths.
  2. Shadow Copy Deletion: Monitor for vssadmin.exe Delete Shadows or diskshadow.exe execution.
  3. Mass Archive Creation: Alert on any process compressing >500MB of data to C:\Windows\Temp or \ProgramData.

Critical Assets for Exfiltration

Based on the victim list (LexisNexis, Avnet), prioritize investigating access to:

  • Legal Databases and Case Management systems.
  • Source Code Repositories (GitLab, GitHub Enterprise).
  • Electronic Health Records (EHR) databases.

Containment Actions

  1. Isolate Mail Gateways: If SmarterMail is in use, disconnect the server from the network immediately but preserve memory for forensics.
  2. Revoke VPN Credentials: Assume VPN credentials are compromised if using Cisco FMC CVE-2026-20131. Force MFA re-enrollment.
  3. Block C2: Update firewalls to block known FULCRUMSEC C2 IP ranges (check Threat Intelligence feeds).

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2025-52691 and CVE-2026-23760 (SmarterMail) and CVE-2023-21529 (Exchange) immediately.
  • Disable External Mail Access: Temporarily disable OWA/ActiveSync for non-admin users until patches are verified.
  • MFA Enforcement: Ensure phishing-resistant MFA (FIDO2) is enforced on all VPN and Remote Desktop gateways.

Short-term (2 Weeks)

  • Network Segmentation: Segment critical mail servers from the main internal LAN. Ensure jump hosts are required for admin access.
  • WAF Rules: Deploy specific WAF rules to block anomalous POST requests to Mainservice.asmx and Exchange EWS endpoints originating from unusual geolocations.
  • EDR Coverage: Verify full EDR coverage on all Exchange and Mail Gateway servers; these are often the "unmonitored" weak point.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwaresmartermailexchange-serverhealthcaretechnology

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action