Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks

Atlas Metal Industries Inc

atlasfoodserv.com

Group Aurora
Discovered 2026-04-29 21:35 UTC
Est. attack date 2026-04-29
Country CA

Description:

[food, metal] Atlas Metal Industries Inc. — a privately held commercial-foodservice-equipment manufacturer headquartered in Miami, Florida. The dataset is a complete Microsoft Dynamics GP environment: production databases, payroll records, system credentials, Autodesk Vault product-design backups, CNC fabrication programs, and all supporting infrastructure configuration. The exfiltration occurred on or about April 8, 2026; the attack was identified April 22, 2026. The exposed material includes: 15.8 GB of payroll-records database (PYREC) — full Employee Master with SSNs, DOBs, addresses, direct-deposit bank routing numbers, salary, W-4 tax data, garnishments, and check history dating to at least 2018. 30+ SQL Server login accounts with password hashes in a sp_help_revlogin dump — named employees, system admins (DYNSA, sa), service accounts, and Active Directory domain accounts. 74 GB of Autodesk Vault Professional backup — complete product-design history from 2019 through 2026, covering every product line Atlas Metal manufactures. Hundreds of CNC fabrication programs — laser-cutter and Amada punch-press G-code for the full catalogue of sheet-metal components. A base64-encoded SQL credential for the TimeClock Plus timekeeping system, stored in plaintext XML. 8 SQL Server databases with full backup chains — ATLAS (primary), PYREC (payroll), DYNAMICS (system), TEST (18 GB dev clone), TWO, AMIT, plus system databases (master, msdb, DynamicsGPSecurity).

DNS Records:

The following DNS records were found for the victim's domain.

WHOIS Emails
  • domain.operationsweb.com
MX Records
  • atlasfoodserv-com.mail.protection.outlook.com. Microsoft 365
TXT Records
  • duo_sso_verification=WQZcqRlCWmLqwcLw8rFzbdJjU94PLEWgBELtPpNyjD6mMsl87aSaw7hpgeNU8Y45
  • v=spf1 ip4:69.229.2.2 ip4:172.4.112.37 include:spf.protection.outlook.com -all
Cloud / SaaS Services Detected
Cisco Duo

Leak Screenshot:

Leak Screenshot