Quick Summary
Executive Summary
Port Angeles Composite, a manufacturing company located in the United States, has been identified as a victim by the CmdOrganization ransomware group. The group published a listing for the company on its dark web portal on June 30, 2026. This incident was detected by SOCRadar’s Dark Web Monitoring service. The CmdOrganization group has a known pattern of targeting the healthcare, business services, and manufacturing sectors, with a significant number of its victims located in the United States, followed by the United Kingdom and India.
Technical Analysis
SOCRadar’s threat intelligence analysis indicates that CmdOrganization has claimed 27 other victims in the 60 days prior to this listing, showing a clear preference for the healthcare, business services, and manufacturing sectors. Geographically, victims in the United States are most prevalent, followed by the United Kingdom and India. Previous ransomware listings by CmdOrganization targeting manufacturers include Kohinoor Mills, New FACOM Co., Ltd., Union Tractor, and Pinnacle Re-Tec. Port Angeles Composite aligns with this trend as a US-based manufacturer. A search of SOCRadar’s stealer-log telemetry for the domain pacomposite.com did not yield any records for exposed credentials. However, this negative result does not confirm the absence of exposed credentials. The query is limited by its data source and scope and may not capture credentials indexed under alternate domains, personal email aliases, or feeds outside the specific dataset queried. Therefore, the absence of a hit should be interpreted as “no information surfaced in this specific query” rather than definitive proof of no exposed credentials. The typical initial access vector for ransomware groups like CmdOrganization involves the use of credentials harvested by infostealers. Threat actors or initial access brokers obtain logs from underground marketplaces, validate corporate credentials, and use them to gain unauthorized access to systems such as Microsoft 365, VPNs, or remote-access portals before deploying ransomware. Despite the lack of evidence in the current query, this scenario remains plausible due to potential credential exposure through other sources or methods not indexed in the queried dataset. CTI teams are advised to continue monitoring and implement proactive credential hygiene measures.