Threat Actor Profile — FULCRUMSEC
Aliases & Operations: FULCRUMSEC (also known as Project Fulcrum) operates as a aggressive Ransomware-as-a-Service (RaaS) entity. Unlike strict "big game hunting" groups, they display a high-volume, mixed-target approach, hitting mid-market enterprises alongside large conglomerates.
TTPs & Behavior:
- Ransom Demands: Typically range from $500,000 to $5 million, with negotiations often starting around 20% of the initial ask.
- Initial Access: Heavily reliant on exploiting internet-facing infrastructure (CVEs) rather than pure phishing. Recent intelligence confirms a pivot towards email gateway exploitation (Exchange, SmarterMail) and perimeter firewall misconfigurations.
- Double Extortion: Strict adherents to double extortion. Data is stolen 1–4 days prior to encryption. Leak site "timer" features are used to pressure victims.
- Dwell Time: Short. Average dwell time observed is approximately 3–5 days from initial exploit to encryption.
Current Campaign Analysis
Campaign Overview: As of 2026-05-02, FULCRUMSEC has posted 21 new victims in the last 100 postings, with a significant concentration (15 listed) published on a single day (2026-05-01). This indicates a coordinated mass-breach event, likely linked to the exploitation of a specific vulnerability or a recently acquired access botnet.
Targeted Sectors:
- Primary: Technology (Avnet, ReFocus AI, Hatica) and Healthcare (Lena Health, Woundtech).
- Secondary: Business Services (LexisNexis, Rotary Club, Saleskido) and Financial Services (MCO).
Geographic Concentration: Heavily US-centric. Of the 15 recent victims listed for May 1st, 11 are based in the United States. International targets include India (Saleskido), Germany (Interzero), Mexico (Nordstern Technologies), and others.
CVE Exploitation Correlation: The recent surge correlates with the weaponization of CVE-2023-21529 (Microsoft Exchange) and CVE-2026-20131 (Cisco Secure Firewall). Given the high number of Tech and Healthcare victims (sectors reliant on Exchange), it is highly probable that the Exchange deserialization vulnerability is the primary initial access vector for this specific wave.
Detection Engineering
SIGMA Rules
YAML
---
title: Potential Microsoft Exchange Deserialization Exploit CVE-2023-21529
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential exploitation of Microsoft Exchange Server Deserialization of Untrusted Data vulnerability (CVE-2023-21529) based on suspicious Exchange Backend process patterns.
status: experimental
date: 2026/05/02
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140 or 5145
ShareName|contains: 'Exchange'
SubjectUserName|contains: 'IIS APPPOOL'
filter_legit:
IpAddress:
- '127.0.0.1'
- '::1'
condition: selection and not filter_legit
falsepositives:
- Legitimate Exchange administrative activity from internal IPs
level: high
---
title: SmarterMail Unrestricted File Upload Activity CVE-2025-52691
id: b2c3d4e5-6789-01bc-def2-2345678901bc
description: Detects suspicious file creation patterns in SmarterMail web roots indicative of exploitation of CVE-2025-52691.
status: experimental
date: 2026/05/02
author: Security Arsenal Research
logsource:
product: windows
file_creation: true
detection:
selection:
TargetFilename|contains:
- 'MRS\'
- 'SmarterMail\'
TargetFilename|contains:
- '.aspx'
- '.ashx'
- '.config'
timeframe: 1m
condition: selection
falsepositives:
- Software updates or legitimate administrative uploads
level: critical
---
title: FULCRUMSEC Lateral Movement via WMI Event Subscription
id: c3d4e5f6-7890-12cd-ef23-3456789012cd
description: Detects lateral movement techniques consistent with FULCRUMSEC operations using WMI for remote code execution.
status: experimental
date: 2026/05/02
author: Security Arsenal Research
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
LogonProcessName|contains: 'Advapi'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Network logons by service accounts
level: medium
KQL Hunt Query (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for evidence of SmarterMail exploitation and subsequent lateral movement
// Look for web shell access patterns or unexpected processes launched by IIS
SecurityEvent
| where EventID in (5140, 5145, 4688)
| extend FilePath = iff(EventID == 4688, NewProcessName, TargetFileName)
| extend Account = iff(EventID == 4688, SubjectUserName, SubjectUserName)
| where FilePath has "SmarterMail" or FilePath has "Exchange"
| where Account !contains "$" and Account != "SYSTEM"
| project TimeGenerated, Computer, Account, EventID, FilePath, ProcessCommandLine
| sort by TimeGenerated desc
PowerShell Hardening Script
PowerShell
<#
.SYNOPSIS
FULCRUMSEC Response: Audit Exchange and SmarterMail Security Posture.
.DESCRIPTION
Checks for recent suspicious scheduled tasks and exposed file extensions in web roots.
#>
Write-Host "[+] Checking for recently created Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Author, Date, State
Write-Host "[+] Checking for suspicious ASP/ASPX files in inetpub..." -ForegroundColor Cyan
$Paths = @("C:\inetpub", "C:\Program Files\SmarterTools")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -Include *.aspx, *.ashx, *.config -ErrorAction SilentlyContinue |
Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} |
Select-Object FullName, LastWriteTime
}
}
Write-Host "[+] Verifying Exchange Patch Status (Checking DLL Version) ..." -ForegroundColor Cyan
# This is a simplified check; verify against MSRC bulletin for CVE-2023-21529
$ExchangePath = "C:\Program Files\Microsoft\Exchange Server\V15\Bin"
if (Test-Path $ExchangePath) {
Get-Item "$ExchangePath\Microsoft.Exchange.Diagnostics.dll" | Select-Object Name, VersionInfo
}
Incident Response Priorities
T-Minus Detection Checklist:
- Exchange Audit: Immediately review IIS logs on Exchange servers for patterns indicating deserialization attacks (
/ecp/,/owa/anomalies). - Web Shell Hunt: Scan SmarterMail and Exchange directories for recently created
.aspx,.asmx, or.configfiles. - Firewall Logs: Check Cisco FMC logs for unauthorized API calls or unexpected policy changes (CVE-2026-20131 indicators).
Critical Assets at Risk:
- Patient Records (Targeted Healthcare victims: Lena Health, Woundtech).
- Legal/IP Data (Targeted Business Services victims: LexisNexis).
- Source Code/Proprietary Tech (Targeted Tech victims: Avnet, ReFocus AI).
Containment Actions:
- Isolate: Disconnect Exchange and SmarterMail servers from the network immediately if exploitation is suspected.
- Revoke: Reset credentials for all service accounts associated with email gateways and firewall management interfaces.
- Block: Implement WAF rules to block inbound traffic to
/ecp/and/owa/from untrusted IPs.
Hardening Recommendations
Immediate (24 Hours):
- Patch Exchange: Apply the security update for CVE-2023-21529 immediately.
- Patch Cisco FMC: Update Cisco Secure Firewall Management Center to address CVE-2026-20131.
- Restrict Access: Place SmarterMail and Exchange administration interfaces behind a Zero Trust Network Access (ZTNA) solution; disallow direct internet access.
Short-term (2 Weeks):
- Network Segmentation: Enforce strict segmentation between web-facing DMZs and internal database servers.
- MFA Enforcement: Require phishing-resistant MFA for all remote access (VPN) and cloud admin consoles.
- Audit Exposed Services: Conduct an external penetration test specifically focused on edge services and mail gateways.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangfulcrumsecransomwarehealthcaretechnologycve-2023-21529exchange-server
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.