• December 19, 2025

Update: FulcrumSec Threat Intelligence

Date: December 19, 2025
Since our initial profile of FulcrumSec in late October, the group has transitioned from an emerging anomaly to a confirmed, tracked entity in the broader threat landscape. While they have not yet reached the volume of “Big Game Hunters” like Akira or Qilin, intelligence surfaced in November and December 2025 confirms they are maintaining operations and establishing more resilient infrastructure.

Here is the latest intelligence update to keep your hunting guides current.

1. Confirmed Activity in November

In the Arete Ransomware Trends & Data Insights report (November 2025), FulcrumSec was explicitly listed as a newly observed threat group.

  • Significance: This confirms that the Avnet incident was likely not a one-off event. The group is actively engaging in campaigns and is now being formally tracked by major Incident Response (IR) firms.
  • Peer Group: They were categorized alongside other emerging Q4 2025 actors such as the Warlock Group, Payouts King, and RDAT Group.

2. New Infrastructure (IOCs)

Our original analysis identified their clearnet presence. New indicators have surfaced regarding their dark web infrastructure, which provides a more resilient fallback should their clearnet domain be seized.

  • TOR / Onion Leak Site: gsgot6tua7ffammwdv6vpxkog32b4z7qivtqkxz55afq2hkt2o24w5yd.onion (Caution: Do not access via enterprise networks)
  • Clearnet Domain (Still Active): fulcrumsec.net

3. Classification Update: Ransomware vs. Extortion

WatchGuard has recently added FulcrumSec to their Ransomware Tracker.

  • Analysis: While our initial assessment profiled them as a “Data Extortion Only” group (similar to Karakurt), their inclusion in ransomware tracking databases suggests two possibilities:
    1. Tooling Overlap: They may be using lockers/encryptors in specific cases (even if rarely).
    2. Affiliate Crossover: They may be sharing infrastructure or affiliates with established ransomware-as-a-service (RaaS) gangs.

Updated Hunting Guidance

The “Data Extortion” profile remains the primary threat vector. The TTPs regarding Rclone and credential abuse remain your best detection opportunities.

New Recommendation: Update your threat intelligence feeds to include the specific TOR Onion Address listed above. Monitoring for traffic destined for TOR relays from internal servers (often via tor.exe or bundled browser processes) can indicate an infected host attempting to communicate with this new infrastructure.

Previous Post
Next Post
    Recent Posts

    Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.

    Follow me on LinkedIn & X.com
    Linkedin X-twitter
    Categories
    Our Partners

    Copyright © 2026 Joe Shenouda | Threat Intelligence |

    Linkedin X-twitter