Brinztech Alert: The Alleged Database of Mammut Sports Group is Leaked

Dark Web News Analysis

The dark web news reports a critical data privacy and infrastructure incident involving Mammut Sports Group, the renowned Swiss producer of mountaineering and trekking equipment. A threat actor on a hacker forum is distributing data attributed to a Ransomware Attack by the DataCarry group.

While the attack reportedly occurred in May 2025, the data is now circulating freely. The leak comprises various file types, including CSV, SQL, and XLSX. Most alarmingly, analysts have identified one specific XLSX file that allegedly contains Administrative Passwords and detailed Firewall Settings. The timeline suggests the attackers had access to the network for several months before deploying the ransomware, indicating a prolonged period of silent exfiltration.

Key Cybersecurity Insights

Breaches involving network configuration files are “Tier 1” infrastructure threats because they provide a blueprint of the company’s defenses to future attackers:

• The “Blueprint” Leak: The exposure of Firewall Settings is catastrophic. It tells future attackers exactly which ports are open, which IP addresses are whitelisted, and the logic of the internal network segmentation. Combined with leaked Passwords, this allows any competent hacker to walk through the digital front door without triggering alarms.
• Ransomware Double Extortion: DataCarry, like many modern ransomware groups, utilizes “double extortion.” They not only encrypted Mammut’s files (causing operational downtime) but also exfiltrated sensitive data to use as leverage. The release of this data confirms that the extortion threat was real and executed.
• Persistent Access (Dwell Time): The insight that the compromise began “months before” the May 2025 attack indicates High Dwell Time. During this window, attackers likely installed Backdoors or Web Shells deep within the infrastructure. Even if the ransomware is cleaned up, these hidden access points might still exist, allowing the attackers (or others who buy the data) to return.
• Operational Exposure: The mix of SQL (database dumps) and CSV (likely customer or inventory lists) suggests the breach spanned multiple departments, compromising both retail operations and backend IT management.

Mitigation Strategies

To protect corporate infrastructure and prevent re-infection, the following strategies are recommended:

• Firewall Reconstruction: Mammut’s IT team must treat their current network perimeter as compromised. They should essentially “burn down” the old firewall rules and rebuild them from scratch, ensuring that no old, leaked configurations remain active.
• Threat Hunting: Conduct a deep forensic sweep for Persistence Mechanisms. Look for unauthorized scheduled tasks, unknown admin accounts created months ago, or suspicious VPN connections that match the leaked credentials.
• Credential Rotation: Immediate, forced rotation of all administrative passwords, particularly for network appliances (routers, switches, firewalls) and privileged service accounts.
• Network Segmentation: Ensure that the “Management Plane” (where firewalls are configured) is strictly isolated from the general corporate network so that a phishing email cannot lead to administrative dominance.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com