Skip to main content
Mallory
Back to threat actors
Exploits CVEs in the wild

FulcrumSec

Also known asFulcrumSec

FulcrumSec is a financially motivated data-theft and extortion actor, described in the content as a ransomware group focused on data extortion and active since at least September 2025. The group publicly claims intrusions, publishes detailed breach reports, and operates a Tor/dark web leak presence and underground forum postings to pressure victims. Known alias in the content: FulCrumSec. Across the cited incidents, FulcrumSec primarily targets organizations by stealing data from cloud and application environments and then leaking or threatening to leak it. Reported victims and claimed targets in the content include Arup Group, LexisNexis Legal & Professional, Wound Technology Network (Woundtech), Unique Computing LLC, ReFocus AI, Gennet AI, Lena Health, a California-based mortgage broker, and a healthcare breach referenced by Bitdefender. The group’s claimed tradecraft in the content centers on exploitation of exposed or unpatched internet-facing applications and abuse of cloud credentials and secrets. Specifically mentioned techniques include exploiting the React2Shell vulnerability/CVE-2025-55182 in unpatched React frontend applications; obtaining access via a GitHub personal access token hardcoded in a JavaScript file on a forgotten subdomain; harvesting additional hardcoded tokens, API keys, passwords, and cloud credentials from repositories; abusing ECS/container credentials and overly permissive AWS roles; accessing AWS infrastructure including S3 buckets, Redshift, VPC databases, AWS Secrets Manager, and Qualtrics; and exfiltrating large datasets from cloud storage and databases. The content also describes FulcrumSec publishing detailed victim narratives, contacting victims during extortion, and in some cases releasing data publicly for free when negotiations failed. The content does not attribute FulcrumSec to any nation state. It consistently portrays the actor as criminally motivated and focused on data theft/extortion rather than espionage. No sub-groups are directly identified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Capital Goods
  • Software & Services

Where they target

Geographies tied to known operations.

  • 🇬🇧 United Kingdom
  • 🇭🇰 Hong Kong SAR China
MITRE ATT&CK

Tradecraft

24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics33 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
T1589.001
Credentials
TA0042
Resource Development
1 technique
T1588
Obtain Capabilities
T1588.003
Code Signing Certificates
TA0001
Initial Access
3 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1133×2
External Remote Services
T1190×7
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0003
Persistence
2 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1133×2
External Remote Services
TA0004
Privilege Escalation
1 technique
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
TA0005
Stealth
1 technique
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
TA0006
Credential Access
4 techniques
T1528
Steal Application Access Token
T1552×5
Unsecured Credentials
T1552.001×3
Credentials In Files
T1552.005
Cloud Instance Metadata API
T1555×3
Credentials from Password Stores
T1649×2
Steal or Forge Authentication Certificates
TA0007
Discovery
4 techniques
T1016
System Network Configuration Discovery
T1526×2
Cloud Service Discovery
T1580×3
Cloud Infrastructure Discovery
T1619
Cloud Storage Object Discovery
TA0009
Collection
3 techniques
T1074
Data Staged
T1213×6
Data from Information Repositories
T1530×4
Data from Cloud Storage
TA0010
Exfiltration
3 techniques
T1041
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
T1567
Exfiltration Over Web Service
T1567.002×4
Exfiltration to Cloud Storage
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-55182React2ShellIn the wildEvidence6

The breach was achieved through CVE-2025-55182 (React2Shell) on an unpatched internet-facing host, which yielded ECS credentials providing access to 57 S3 buckets and the AWS Secrets Manager.

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
malware newsNews
Jun 10, 2026
UK Cybercrime Journal: Arup Group Breached by FulcrumSec - Malware News - Malware Analysis, News and Indicators

Financially motivated data-theft-extortion group active since September 2025 that specializes in rapid exfiltration of cloud-hosted data by exploiting unrotated API keys, hardcoded credentials, and misconfigured cloud permissions. In this case, it claimed a long-running, targeted intrusion against Arup Group, stealing GitHub repositories, cloud storage data, and database backups before attempting extortion.

Read more
darkwebinformerNews
Apr 1, 2026
FulcrumSec Breaches Unique Computing, ReFocus AI, and Gennet AI Exposing 23,000 Insurance Policyholders, $797M in Premiums, Driver Licenses, SSNs, and Proprietary ML Models From a Single Unpatched AWS Account

Conducted a data breach and public leak operation against Unique Computing, ReFocus AI, and Gennet AI by exploiting a public-facing application flaw to obtain ECS credentials, access shared AWS resources, and exfiltrate 140GB of data for public release.

Read more
data breaches netNews
Mar 23, 2026
If threat actors gave you a chance to redact the patient data they hacked before they leak it, would you take them up on the offer? Read about the Woundtech incident. - DataBreaches.Net

Conducted a data theft and extortion operation against Woundtech, exfiltrating medical data from Snowflake exports and an S3 bucket, publishing leak previews, negotiating payment, and offering to redact or delete some patient data before public release.

Read more
ahnlab asec blogNews
Mar 10, 2026
February 2026 Security Issues Related to the Korean & Global Financial Sector - ASEC

A threat actor advertising an alleged large-scale breach of a California-based mortgage broker, claiming theft of mortgage application documents, source code, credentials, and financial infrastructure data.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping24

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.