The newly uncovered FortiBleed campaign has raised significant security alarms within the cybersecurity community, notably linked to the operations of both INC and Lynx ransomware groups. This alarming development points toward verified stolen credentials that were utilized for subsequent intrusions into targeted systems.
In a recently released report by SOCRadar, it was revealed that an operator associated with FortiBleed was seen engaging in negotiation panels for both ransomware groups. This marks a troubling trend where extensive credential theft related to FortiGate devices is now directly tied to the deployment of ransomware. Such direct connections between credential theft and ransomware deployment are unprecedented, indicating a sophisticated and concerning evolution in cybercriminal tactics.
SOCRadar’s investigation uncovered that there was scanning activity involving around 11,250 FortiGate portals across more than 150 countries. Further analysis disclosed that administrative-level access was confirmed on 409 targets, with 354 of these having the complete attack sequence successfully executed. Consequently, at least 12 deployments of ransomware have been linked to this access, leading to the encryption of hundreds of endpoints across various affected organizations.
The FortiBleed operation is particularly troubling due to its large-scale method of credential harvesting. Beginning last month, this campaign was characterized by systematic scanning of the internet for vulnerable Fortinet devices. The attackers employed a strategy that included the use of known credential combinations in their attempts to infiltrate these devices. Once access was gained, they deployed custom packet sniffers aimed at passively collecting credentials and other authentication data from network traffic, effectively compromising a significant amount of sensitive information.
An analysis conducted by security experts predicts that this campaign has targeted approximately 430,000 FortiGate firewalls globally, managing to amass over 110 million credentials during its execution. This alarming breach of security was ultimately brought to light because of a critical operational security lapse by the attackers. They unintentionally exposed a server containing the stolen credentials from thousands of Fortinet devices on the open internet, providing vital insights into their operations.
The technical details surrounding the breach are equally alarming. A Golang-based packet sniffer has reportedly been installed on about 12,000 Fortinet devices, marking just a slice of the overall number of networking equipment that came under scrutiny during the campaign. The findings highlighted by SOCRadar also suggest that one particular operator with access to the FortiBleed infrastructure was found logged into both INC Ransom and Lynx negotiation panels. Connections were made that illustrate an overlap between victim lists maintained by INC Ransom and data acquired from the FortiBleed campaign.
Ensar Seker, the chief information security officer at SOCRadar, expressed in an email to The Hacker News that the exposed server operated as a staging and coordination hub, rather than as a platform for phishing or active credential harvesting. This server contained a plethora of operational information, such as target inventories, automation scripts, configuration files, and other artifacts that substantiated its role in orchestrating a large-scale credential harvesting initiative against internet-facing network appliances. Thus, it served as an integral piece of the attackers’ backend infrastructure.
AN in-depth analysis pointed toward the involvement of a Russian-speaking threat actor likely functioning as an initial access broker in this nefarious campaign. The targeting patterns indicated that the manufacturing, technology, and logistics sectors in regions across Latin America and the Asia Pacific are particularly at-risk.
SOCRadar’s report also unveiled an internal document suggesting that this operation is structured and organized, comprising approximately 20 individuals with specialized roles. A core group of lead operators managed the high-impact intrusions, supported by specialists and support staff who assisted in executing their plans efficiently.
Particularly concerning is evidence indicating that the threat actors may have access to at least one zero-day vulnerability in Nextcloud. To address this issue, the threat intelligence firm has started coordinating with the implicated vendor. Furthermore, artifacts linked to Citrix were also uncovered, suggesting that the operation’s reach might extend beyond Fortinet devices. A target list related to Citrix environments identified around 29,000 IP addresses and 37 domains, indicating that the operational infrastructure could be repurposed for targeting other remote access technologies.
Despite the preemptive nature of this discovery, Ensar Seker elucidated that the identification of target lists does not definitively confirm large-scale credential harvesting against Citrix devices has commenced. Rather, it demonstrates that significant reconnaissance and preparatory efforts are taking place, suggesting a meticulously planned series of attacks ahead.
Given the sophistication and capabilities displayed in the FortiBleed campaign, organizations utilizing internet-facing Citrix infrastructure are encouraged to treat this situation as a crucial early warning. It is imperative to verify authentication logs, rotate previously exposed credentials, implement multi-factor authentication, and maintain vigilance for any unusual login activity.
This troubling disclosure arrives on the heels of an additional warning from eSentire, which has disclosed observed activity exploiting a flaw in Fortinet FortiClient EMS (CVE-2026-35616). This exploit was reportedly used to deploy an information stealer dubbed EKZ Stealer, primarily targeting customers within the energy, utilities, and waste sectors. The ultimate goal appears to be the exfiltration of credentials from browsers, such as Chromium-based ones and Firefox, via PowerShell.
Overall, this evolving situation surrounding the FortiBleed campaign underscores the pressing need for organizations to reassess and fortify their cybersecurity postures amidst a landscape of increasing threats.

