Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
NEWS

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

SOCRadar uncovered FortiBleed — a large-scale credential-harvesting campaign targeting 11,250 FortiGate portals across 150+ countries, resulting in 110...

Dylan H.

News Desk

July 2, 2026
3 min read

SOCRadar has uncovered a large-scale credential-harvesting campaign called FortiBleed targeting internet-exposed Fortinet FortiGate firewall portals at global scale. Attackers systematically scanned over 11,250 FortiGate portals across more than 150 countries, attempting unauthorized access using common credential combinations and deploying custom Golang-based packet sniffers on compromised devices to passively harvest authentication data from live network traffic.

The operation is assessed to involve approximately 20 personnel with a clear division of labor, likely operating as an organized initial access broker with Russian-speaking threat actors.

Scale of the Operation

The numbers underscore the campaign's industrial scope:

MetricValue
Portals scanned11,250 across 150+ countries
Admin-level access confirmed409 targets
Full attack chain completed354 devices
Golang sniffer installations12,000 confirmed
Credentials harvested~110 million
Ransomware deployments12 confirmed

This marks the first confirmed direct tie between mass FortiGate credential theft and downstream ransomware deployment. SOCRadar linked the FortiBleed infrastructure to active use of both INC Ransom and Lynx ransomware negotiation panels, with an operator found working both panels simultaneously.

The Exposed Coordination Server

A key breakthrough came when researchers discovered an exposed staging and coordination server containing internal files, logs, automation scripts, and configuration data. This, along with over 200 newly discovered associated servers, revealed the full operational structure, target inventories, and harvested credential stores.

As SOCRadar's CISO described it, the server "contained target inventories, harvested data, automation scripts, configuration files, and operational artifacts that indicate it was used to coordinate large-scale credential harvesting against internet-facing network appliances."

Targeting Patterns

Primary targeting focuses on:

  • Sectors: Manufacturing, Technology, Logistics
  • Regions: Latin America and Asia-Pacific carry the heaviest victim concentration

Beyond FortiGate: Nextcloud Zero-Day and Citrix

The campaign doesn't stop at Fortinet. Researchers found:

  • Nextcloud zero-day: Threat actors possess at least one unpatched zero-day vulnerability in Nextcloud, which SOCRadar is actively coordinating with the vendor to disclose.
  • Citrix reconnaissance: 29,000 IP addresses and 37 domains associated with Citrix environments were identified in the actors' target lists, suggesting planned expansion into additional remote access technologies — though no large-scale Citrix exploitation has been confirmed yet.

Concurrent FortiClient Campaign

Separately, eSentire reported a related but distinct campaign exploiting CVE-2026-35616 (FortiClient EMS, CVSS 9.1) to deploy EKZ Stealer against energy, utilities, and waste sector targets. While using different entry points, both campaigns highlight Fortinet products as a high-priority target category for organized threat actors in mid-2026.

Recommendations for Defenders

Organizations running Fortinet infrastructure should take immediate action:

  1. Audit all internet-exposed FortiGate portals — restrict access to management interfaces via IP allowlists or VPN-only access.
  2. Rotate all FortiGate admin credentials and review for unauthorized admin accounts.
  3. Review for Golang sniffer implants on FortiGate devices: unexpected processes, modified firmware images, or unusual outbound traffic patterns.
  4. Apply all available Fortinet patches and review the Fortinet PSIRT advisory feed for related advisories.
  5. Patch FortiClient EMS for CVE-2026-35616 if deployed in energy or utilities environments.
  6. Review Nextcloud exposure and follow vendor advisories as coordinated disclosure concludes.
  7. Monitor for INC Ransom and Lynx ransomware TTPs in your threat intelligence feeds — both groups are actively deploying based on FortiBleed access.
#Ransomware#Fortinet#Credential Theft#Initial Access Broker#Cybercrime

Related Articles

FortiBleed Credential-Theft Campaign Linked to Lynx Ransomware Group

Researchers have connected the massive FortiBleed credential-theft operation — which harvested credentials from over 86,000 FortiGate firewalls — directly...

3 min read

FortiBleed: 5-Stage Attack Chain Behind 110 Million Credential Heist on FortiGate Firewalls

Deep analysis of the FortiBleed operation reveals a sophisticated five-stage credential harvesting pipeline — custom Golang sniffers, Telegram-based...

5 min read

Stealthy Mistic Backdoor Linked to Ransomware Access Broker KongTuke

Security researchers have identified a new backdoor malware named Mistic being deployed by KongTuke, a ransomware initial access broker, in financially...

7 min read
Back to all News