Ransomware victim disclosure
← All victimsAvanti Windows & Doors
Claimed by AUR0RA · listed 18 hours ago
Status timeline
- Listed
Jun 6, 2026
- Data leaked
At a glance
- Group
- AUR0RA
- Status
- Data leaked
- Country
- US
- Sector
- Manufacturing
- Listed on leak site
- Jun 6, 2026
- Data size
- 33 GB
- Records
- 80+ Windows roaming profiles, 50-200+ contractors on 1099 forms
- Ransom demanded
- $140
About the victim
AI dossier — public-source company profileAvanti Windows & Doors is a vinyl window manufacturer headquartered in El Mirage, Arizona, with regional operations across Nevada, Texas, California, and Florida. The company serves builders and contractors through a FastAPI-based pricing platform and maintains a substantial customer base across the western and southern United States.
- Industry
- Vinyl Window Manufacturing
- Address
- El Mirage, Arizona, US (with regional offices in Nevada, Texas, California, and Florida)
Attack summary
Severity: critical — Confirmed exfiltration of highly sensitive data at scale: full employee identity packages (SSNs, W-4s, I-9s), plaintext SQL database credentials enabling complete access to customer orders and financial records, corporate bank credentials and statements, proprietary pricing algorithms, health/injury records subject to privacy regulations, and attorney-client privileged communications. The breadth and sensitivity of exposed data, combined with direct access to operational systems and financial inAUR0RA claims to have exfiltrated the entire corporate file server, including customer orders, financial records, employee identity data, proprietary pricing algorithms, bank statements, and health/injury records spanning multiple years. The group advertises 33 GB of exposed material as proof of the breach.
Data the group says was taken
AI dossier — extracted from the leak post- SQL Server SA credentials (FeneVision ERP database access)
- Employee SSNs, W-4s, I-9s, E-Verify data (2014–2016+)
- 1099-MISC/INT forms with SSNs/EINs (50–200+ contractors, 2 tax years)
- Direct deposit authorizations (employee bank account and routing numbers)
- 24+ months Chase bank statements
- 28 months AMEX corporate card statements
- Proprietary pricing algorithm source code (FastAPI backend)
- 41+ builder Master Service Agreements with pricing terms
- CPA-reviewed financial statements, partnership returns, K-1s, budget forecasts
- OSHA 300 logs and workers' compensation audit files
- UHC health insurance invoices with employee medical/injury data
- Attorney-client privileged ADOSH settlement correspondence
- ~80 Windows roaming profiles (desktops, documents, AppData, Outlook files, cached credentials)
What the group claims
A vinyl window manufacturer headquartered in El Mirage, Arizona, with regional offices across Nevada, Texas, California, and Florida.
The leak post
captured from the group's site[ NorthWest Handling Systems — a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988. 337,000+ files spanning every branch, every department, every era of the company. It includes: Plaintext credit card numbers in an Excel spreadsheet literally titled “C.O.D. info (CREDIT CARD INFO).xlsx” — stored at the root of the file server, unencrypted, for years. Social Security numbers and Taxpayer IDs on W-9 forms and certified payroll documents for government-contract work (USPS, Oregon DHS, public schools). 3+ years of plaintext passwords for Target Corporation’s vendor portal (TARS), stored in Word documents titled “TARGET PASSWORD & SECURITY QUESTIONS.” Each password rotation was saved as a new file. Home Depot Maximo DC billing credentials — plaintext, in a Word document, enabling fraudulent invoicing against a Fortune 50 company. Albertsons/Safeway Corrigo facility-management portal credentials — again, plaintext in a .docx file. 33 GB of customer warehouse CAD files — facility layouts, equipment placement, security-zone dimensions, and fire-protect…
Data the group says was taken
- SQL Server SA credentials
- employee SSNs
- W-4s
- I-9s
- E-Verify data
- 1099-MISC/INT forms
- direct deposit authorizations
- bank account and routing numbers
- bank statements
- AMEX corporate card statements
- proprietary pricing algorithm source code
- Master Service Agreements
- financial statements
- partnership returns
- K-1s
- budget forecasts
- OSHA 300 logs
- workers compensation audit files
- health insurance invoices
- attorney-client privileged correspondence
- Windows roaming profiles
- Outlook PST/OST files
- browser caches
- cached credentials
Screenshot of the leak post
Sources
Source
Indexed 18 hours agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.