Back to Intelligence

FULCRUMSEC Ransomware: Aggressive Exploitation of Mail Gateways & 21 New Victims Detected

SA
Security Arsenal Team
May 4, 2026
6 min read

Threat Actor Profile — FULCRUMSEC

FULCRUMSEC has rapidly escalated operations, posting 21 victims in the last 100 days. Intelligence suggests they operate as a sophisticated RaaS (Ransomware-as-a-Service) affiliate model, leveraging recently disclosed vulnerabilities in enterprise communication infrastructure rather than relying solely on traditional phishing or RDP brute-forcing.

  • Operating Model: RaaS with a focus on double extortion. The gang is known to exfiltrate sensitive data (PII, IP, financial records) prior to encryption.
  • Initial Access Vectors: Heavy reliance on unpatched external-facing services. Recent campaigns prioritize vulnerabilities in email servers (Microsoft Exchange, SmarterTools) and firewall management interfaces (Cisco FMC).
  • Dwell Time: Short. FULCRUMSEC typically moves laterally and detonates payloads within 48–72 hours of initial access to minimize defender response time.
  • Ransom Demands: Variable, generally scaling with revenue, often starting in the mid-six figures for mid-market entities and escalating to millions for large enterprises.

Current Campaign Analysis

Sector Targeting: The current campaign exhibits a distinct bias towards Technology and Healthcare, though Business Services remain a consistent target. Notable recent victims include Avnet (Technology), LexisNexis (Business Services), and Lena Health (Healthcare).

Geographic Concentration: The United States is the primary target, accounting for over 75% of the recent victims (e.g., Avnet, MCO, ParkEngage). Secondary activity has been observed in Mexico, India, Germany, and Colombia, suggesting a global but US-centric affiliate network.

Victim Profile: FULCRUMSEC is targeting mid-to-large enterprises. The inclusion of LexisNexis and Avnet indicates capability to hit high-revenue targets ($5B+), while victims like Saleskido and Hatica suggest a willingness to attack high-growth technology firms with valuable intellectual property.

CVE Correlation & Attack Vector: There is a strong correlation between the victim list (hosting/tech/email-heavy sectors) and the actively exploited CVEs:

  • CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability allowing authenticated attackers to achieve RCE. This is likely the primary vector for Tech and Biz Service victims.
  • CVE-2025-52691 & CVE-2026-23760 (SmarterMail): File upload and auth bypass. These are likely being used to breach smaller tech firms and hosting providers managing their own mail.
  • CVE-2026-20131 (Cisco FMC): Deserialization in firewall management. This allows the gang to pivot through perimeter defenses, disabling security controls before lateral movement.

Detection Engineering

The following detection content is designed to identify the specific TTPs associated with FULCRUMSEC’s exploitation of mail servers and subsequent lateral movement.

YAML
---
title: Potential Microsoft Exchange Deserialization Exploit (CVE-2023-21529)
id: 0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects suspicious process execution patterns associated with deserialization exploits in Microsoft Exchange Server, specifically w3wp.exe spawning cmd or powershell.
status: experimental
date: 2026/05/04
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter:
        CommandLine|contains:
            - 'appcmd'
            - 'build'
    condition: selection and not filter
falsepositives:
    - Legitimate Exchange administration
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2023-21529
---
title: SmarterMail Webshell Upload Activity
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects the creation of suspicious files in SmarterMail web directories indicative of successful file upload exploits (CVE-2025-52691).
status: experimental
date: 2026/05/04
author: Security Arsenal Research
logsource:
    product: windows
    category: file_create
detection:
    selection:
        TargetFilename|contains:
            - 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\'
            - 'C:\Program Files\SmarterTools\SmarterMail\MRS\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.asmx'
    filter:
        User|contains:
            - 'SYSTEM'
            - 'SmarterMail'
    condition: selection and not filter
falsepositives:
    - Legitimate software updates
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2025-52691
---
title: Suspicious Lateral Movement via PsExec and WMI
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects typical ransomware lateral movement using PsExec or WMI often seen after FULCRUMSEC initial access.
status: experimental
date: 2026/05/04
author: Security Arsenal Research
logsource:
    product: windows
    category: process_creation
detection:
    selection_psexec:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
    selection_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'process call create'
    selection_smb:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '\\*\ADMIN$\'
    condition: 1 of selection_
falsepositives:
    - System administration
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002

KQL (Microsoft Sentinel)

This query hunts for indicators of webshell activity or credential dumping associated with the mail server exploits.

kqlnlet timeframe = 1d; DeviceProcessEvents | where Timestamp > ago(timeframe) | where (ProcessVersionInfoOriginalFileName in ("w3wp.exe", "svchost.exe", "cmd.exe") or InitiatingProcessVersionInfoOriginalFileName in ("w3wp.exe", "svchost.exe")) | where ProcessCommandLine has any( "whoami", "net user", "ipconfig", "systeminfo", "tasklist", "nltest" ) | extend HostName = DeviceName, Account = InitiatingProcessAccountName | project Timestamp, HostName, Account, FileName, ProcessCommandLine, InitiatingProcessFileName | where FileName != "cmd.exe" or ProcessCommandLine contains "-enc"

PowerShell: Post-Compromise Audit Script

Run this on Exchange and Mail servers to check for recent file modifications indicative of webshell uploads or persistence mechanisms.

PowerShell
<#
    .SYNOPSIS
    FULCRUMSEC Response Script - Checks for webshells and persistence.
#>

$DaysToCheck = 3
$WebRoots = @(
    "C:\inetpub\wwwroot",
    "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy",
    "C:\Program Files (x86)\SmarterTools\SmarterMail\MRS"
)

Write-Host "[+] Checking for recently modified files in web roots..." -ForegroundColor Cyan

foreach ($root in $WebRoots) {
    if (Test-Path $root) {
        Get-ChildItem -Path $root -Recurse -Include *.aspx, *.ashx, *.asmx, *.config -ErrorAction SilentlyContinue |
        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-$DaysToCheck) } |
        Select-Object FullName, LastWriteTime, Length | Format-Table -AutoSize
    }
}

Write-Host "[+] Checking for suspicious scheduled tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {
    $_.State -eq "Ready" -and 
    $_.LastRunTime -gt (Get-Date).AddDays(-$DaysToCheck) -and
    ($_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*")
} | Select-Object TaskName, LastRunTime, TaskPath | Format-Table -AutoSize

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption):

  1. Log Audit: Immediately review IIS logs (Exchange/SmarterMail) for large POST requests or anomalous 200/500 status codes from external IPs.
  2. Service Accounts: Audit logs for usage of privileged service accounts (e.g., Exchange Trusted Subsystem) from non-standard workstations.
  3. Firewall Rules: Check Cisco FMC logs for unauthorized configuration changes (CVE-2026-20131 indicators).

Critical Assets Prioritized for Exfiltration:

  • Healthcare: PHI databases, patient scheduling systems.
  • Technology: Source code repositories, customer credential databases, IP documentation.
  • Legal/Biz Services: M&A data, client case files.

Containment Actions (Urgency Order):

  1. Isolate Mail Servers: Disconnect mail gateways from the network if compromise is suspected, but preserve volatile memory.
  2. Reset Credentials: Force reset for all accounts with access to the mail server admin console and domain admin accounts.
  3. Block C2: Identify and block outbound connections to known C2 infrastructure (check firewall logs for unusual long-lived connections).

Hardening Recommendations

Immediate (24h):

  • Patch Management: Apply patches for CVE-2023-21529 (Exchange) and CVE-2025-52691 / CVE-2026-23760 (SmarterMail) immediately.
  • External Access: Restrict access to Cisco FMC and Exchange Management interfaces (ECP/OWA) to specific source IP ranges via VPN or Jump Hosts. Disable basic authentication.

Short-term (2 weeks):

  • Network Segmentation: Ensure mail servers are in a separate VLAN with strict egress filtering (no direct internet access for system accounts).
  • Anti-Webshell Deployment: Deploy runtime application self-protection (RASP) or IIS modules designed to detect and block deserialization attacks and webshell upload attempts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwarecve-2023-21529exchange-serverhealthcarethreat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action