Avanti Windows & Doors

Group

aurora

Status

Data leaked

Country

US

Sector

Manufacturing

Listed on leak site

May 12, 2026

Avanti Windows & Doors is a vinyl window and door manufacturer headquartered in El Mirage, Arizona, with regional offices across Nevada, Texas, California, and Florida. The company serves the residential and commercial construction market, operating with builder contracts and Master Service Agreements. It uses the FeneVision ERP platform to manage customer orders, pricing, and financial records.

The Aurora ransomware group claims to have exfiltrated a broad range of sensitive data from Avanti Windows & Doors, including employee PII (SSNs, W-4s, I-9s, direct deposit banking details), contractor tax records, corporate bank and credit card statements, proprietary pricing source code, attorney-client privileged correspondence, and approximately 80 employee roaming profiles containing cached credentials and email archives. No ransom amount was stated and data has been published.

• Plaintext SQL Server SA credentials
• FeneVision ERP database access
• Employee SSNs
• W-4 and I-9 forms
• E-Verify data
• Payroll records (2014–2016+)
• 1099-MISC/INT forms with SSNs/EINs
• Direct deposit bank account and routing numbers
• 24+ months of Chase bank statements
• 28 months of AMEX corporate card statements
• Proprietary window pricing algorithm (FastAPI source code)
• 41+ builder Master Service Agreements
• CPA-reviewed financial statements
• Partnership returns and K-1s
• Budget forecasts
• OSHA 300 logs
• Workers' compensation audit files
• UHC health insurance invoices
• Employee medical and injury records
• Attorney-client privileged ADOSH settlement correspondence
• ~80 Windows roaming profiles
• Outlook .ost/.pst files
• Browser caches and cached credentials

Avanti Windows & Doors — a vinyl window manufacturer headquartered in El Mirage, Arizona, with regional offices across Nevada, Texas, California, and Florida. The exposed material includes: Plaintext SQL Server SA (system administrator) credentials — the master key to the FeneVision ERP database containing every customer order, every price, every financial record the company has ever processed. Employee SSNs, W-4s, I-9s, and E-Verify data — the complete identity package for the entire workforce, from new-hire packets through payroll records spanning 2014–2016+. 1099-MISC/INT forms — SSNs/EINs and payment amounts for 50–200+ contractors and vendors across two tax years. Direct deposit authorizations — bank account and routing numbers for employees who enrolled in ACH payroll. 24+ months of Chase bank statements and 28 months of AMEX corporate card statements — full account numbers, transaction details, and spending patterns. The complete proprietary pricing algorithm — source code for the FastAPI backend that determines window pricing for every builder contract, plus 41+ builder Master Service Agreements with exact pricing terms. CPA-reviewed financial statements, partnership returns, K-1s, and budget forecasts — the company’s full financial anatomy, from cost structure to profit allocation. OSHA 300 logs, workers’ compensation audit files, and UHC health insurance invoices — employee medical and injury data, names of injured workers, treatment details. Attorney-client privileged ADOSH settlement correspondence — OSHA settlement negotiations between outside counsel and the CEO. ~80 Windows roaming profiles — employee desktops, documents, AppData, Outlook .ost/.pst files, browser caches, and cached credentials.

• Victim siteAvanti Windows & Doors
• Leak posthttp://u6lieui2dakbctcjea2bz4r4q32r7t36nwljovqbv7mxs6o2smgxixid.onion/blog/avanti-windows-doors-25cc6dc6

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.