Medlink Georgia Data Breach

Alleged

Ransomware claim involving Medlink Georgia.

Published: Jun 30, 2026 CmdOrganization
Threat Level
High
Confidence: High

Quick Summary

Alleged
Company
Medlink Georgia
Industry
Business Services
Threat Actor
CmdOrganization
Date of Incident
Jun 30, 2026

Executive Summary

Medlink Georgia, a healthcare company, has been listed on the CmdOrganization ransomware group’s dark web portal, with the entry dated June 30, 2026. This listing was detected by SOCRadar’s Dark Web Monitoring service. The CmdOrganization group has a recent focus on the healthcare sector, and Medlink Georgia fits this pattern. In the 60 days prior to this listing, CmdOrganization claimed 27 other victims, with a significant concentration in the healthcare, business services, and manufacturing sectors. Their primary geographical targets are the United States, followed by the United Kingdom and India. Other healthcare organizations previously targeted by CmdOrganization include EON Meditech Pvt, Capital Family Physicians, Hospice Savannah, and Stonehenge Therapeutic Community.

Technical Analysis

SOCRadar’s stealer-log telemetry revealed a potential initial access vector for Medlink Georgia, with employee credentials for the medlinkga.org domain exposed. Two records found targeted Microsoft 365 identity and mail infrastructure, specifically an Entra ID single sign-on endpoint and a Microsoft 365 SMTP submission service. The consistent masked password suggests credential reuse or a single harvesting event. This type of exposure, combining identity and mail credentials, is a recognized pathway for ransomware initial access and lateral movement. Ransomware groups like CmdOrganization frequently use credentials harvested by information stealers as an initial access vector. They source logs from the dark web, validate corporate credentials, and use them to gain access to systems before deploying ransomware. While this specific listing doesn’t confirm the use of these credentials by CmdOrganization in this incident, the exposure of M365 identity and mail credentials represents a critical risk that this kill chain exploits. CTI teams are advised to reset affected accounts, revoke sessions, review M365 logs, enforce phishing-resistant MFA, and investigate the originating endpoints for stealer activity.