FortiBleed Credential Harvesting Tied to INC and Lynx Ransomware Activity
A newly identified credential-theft operation known as FortiBleed has now been linked to the INC and Lynx ransomware ecosystems, suggesting the stolen access was being used to support later-stage intr...
A newly identified credential-theft operation known as FortiBleed has now been linked to the INC and Lynx ransomware ecosystems, suggesting the stolen access was being used to support later-stage intrusions. According to a report from SOCRadar, an operator connected to the FortiBleed backend was seen handling negotiation portals for both ransomware groups, creating what the company describes as the first direct connection between large-scale FortiGate credential harvesting and ransomware deployment.
SOCRadar said the campaign involved internet-wide scanning of roughly 11,250 FortiGate portals across more than 150 countries. In its analysis, the firm found confirmed administrator-level access on 409 systems and evidence that the full attack chain was completed on 354 of them. At least 12 ransomware incidents appear to have followed, with hundreds of endpoints encrypted across affected organizations.
How the campaign worked
The activity came to light after attackers made an operational mistake and left a server exposed on the internet. That system reportedly contained credentials taken from thousands of Fortinet appliances. SOCRadar estimates the campaign targeted around 430,000 FortiGate firewalls worldwide and collected more than 110 million credentials. The company also believes a custom Golang-based sniffer was deployed on about 12,000 devices to capture authentication data from network traffic.
Researchers said the exposed server was part of the attackers’ internal coordination environment, holding target lists, harvested data, scripts, and other operational files. Based on tooling, logging patterns, and working hours, the group is believed to be Russian-speaking and possibly operating as an initial access broker. Targeting has heavily focused on manufacturing, technology, and logistics organizations in Latin America and Asia Pacific.
Broader targeting and related threats
SOCRadar also said it found signs that the operation may extend beyond Fortinet hardware. Internal material included Citrix-related artifacts and a target list of about 29,000 IP addresses and 37 domains linked to Citrix environments. While that does not prove mass harvesting against Citrix products, researchers said it shows clear preparation for broader targeting.
The company added that attackers may also possess a zero-day flaw in Nextcloud and is coordinating with the vendor. In a separate development, eSentire reported active exploitation of a Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-35616, to deliver EKZ Stealer and collect browser-stored credentials from a victim in the energy sector.
