SOCRadar has uncovered a large-scale credential-harvesting campaign called FortiBleed targeting internet-exposed Fortinet FortiGate firewall portals at global scale. Attackers systematically scanned over 11,250 FortiGate portals across more than 150 countries, attempting unauthorized access using common credential combinations and deploying custom Golang-based packet sniffers on compromised devices to passively harvest authentication data from live network traffic.
The operation is assessed to involve approximately 20 personnel with a clear division of labor, likely operating as an organized initial access broker with Russian-speaking threat actors.
Scale of the Operation
The numbers underscore the campaign's industrial scope:
| Metric | Value |
|---|---|
| Portals scanned | 11,250 across 150+ countries |
| Admin-level access confirmed | 409 targets |
| Full attack chain completed | 354 devices |
| Golang sniffer installations | 12,000 confirmed |
| Credentials harvested | ~110 million |
| Ransomware deployments | 12 confirmed |
This marks the first confirmed direct tie between mass FortiGate credential theft and downstream ransomware deployment. SOCRadar linked the FortiBleed infrastructure to active use of both INC Ransom and Lynx ransomware negotiation panels, with an operator found working both panels simultaneously.
The Exposed Coordination Server
A key breakthrough came when researchers discovered an exposed staging and coordination server containing internal files, logs, automation scripts, and configuration data. This, along with over 200 newly discovered associated servers, revealed the full operational structure, target inventories, and harvested credential stores.
As SOCRadar's CISO described it, the server "contained target inventories, harvested data, automation scripts, configuration files, and operational artifacts that indicate it was used to coordinate large-scale credential harvesting against internet-facing network appliances."
Targeting Patterns
Primary targeting focuses on:
- Sectors: Manufacturing, Technology, Logistics
- Regions: Latin America and Asia-Pacific carry the heaviest victim concentration
Beyond FortiGate: Nextcloud Zero-Day and Citrix
The campaign doesn't stop at Fortinet. Researchers found:
- Nextcloud zero-day: Threat actors possess at least one unpatched zero-day vulnerability in Nextcloud, which SOCRadar is actively coordinating with the vendor to disclose.
- Citrix reconnaissance: 29,000 IP addresses and 37 domains associated with Citrix environments were identified in the actors' target lists, suggesting planned expansion into additional remote access technologies — though no large-scale Citrix exploitation has been confirmed yet.
Concurrent FortiClient Campaign
Separately, eSentire reported a related but distinct campaign exploiting CVE-2026-35616 (FortiClient EMS, CVSS 9.1) to deploy EKZ Stealer against energy, utilities, and waste sector targets. While using different entry points, both campaigns highlight Fortinet products as a high-priority target category for organized threat actors in mid-2026.
Recommendations for Defenders
Organizations running Fortinet infrastructure should take immediate action:
- Audit all internet-exposed FortiGate portals — restrict access to management interfaces via IP allowlists or VPN-only access.
- Rotate all FortiGate admin credentials and review for unauthorized admin accounts.
- Review for Golang sniffer implants on FortiGate devices: unexpected processes, modified firmware images, or unusual outbound traffic patterns.
- Apply all available Fortinet patches and review the Fortinet PSIRT advisory feed for related advisories.
- Patch FortiClient EMS for CVE-2026-35616 if deployed in energy or utilities environments.
- Review Nextcloud exposure and follow vendor advisories as coordinated disclosure concludes.
- Monitor for INC Ransom and Lynx ransomware TTPs in your threat intelligence feeds — both groups are actively deploying based on FortiBleed access.