Network Security

FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks

Researchers say credentials harvested from hundreds of thousands of FortiGate firewalls are being used to facilitate ransomware attacks by the INC and Lynx operations.

Researchers say credentials harvested from hundreds of thousands of FortiGate firewalls are being used to facilitate ransomware attacks by the INC and Lynx operations.

FortiBleed, the large-scale credential-harvesting operation targeting organizations in 150 countries, has led to the deployment of INC Ransom and Lynx ransomware families, SOCRadar reports.

Uncovered in mid-June, FortiBleed has been targeting over 430,000 FortiGate firewalls for the deployment of a network sniffer dubbed FortigateSniffer to capture the traffic passing through them and extract cleartext credentials and password hashes for future compromise.

The campaign is likely mounted by a Russian initial access broker aiming to gain access to Active Directory domains, steal sensitive information, and establish persistent access.

FortiBleed has been ongoing since at least February, and the attackers are estimated to have compromised over 110 million credentials.

Now, SOCRadar says it has observed scanning activity against roughly 11,250 FortiGate portals and that the attackers gained administrative access on 409 targets.

The threat actor was observed completing the full attack chain on 354 targets, including compromising VPNs, accessing the domain controller, and gaining domain admin privileges.

Advertisement. Scroll to continue reading.

Of these, 12 incidents have resulted in ransomware deployment, with “hundreds of endpoints encrypted across affected organizations,” SOCRadar says.

An operational security error by the attackers provided the cybersecurity company with visibility into their environment and with access to internal files, logs, and documentation.

SOCRadar observed both an operator logged into both INC Ransom and Lynx ransomware negotiation panels, and overlaps between FortiBleed victims and INC targets, confirming that the same organizations were targeted in both operations.

“Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment,” SOCRadar notes.

Analysis of an internal tracking document associated with FortiBleed suggests that the operation involves roughly 20 individuals, with some focused on high-impact intrusions and others providing technical support.

“FortiBleed isn’t an isolated credential-theft operation sitting off to the side of the ransomware economy; it’s feeding directly into it. The same access broker infrastructure that quietly intercepted authentication traffic across hundreds of thousands of firewalls is connected, through a shared operator, to two of the more active ransomware brands operating today,” SOCRadar notes.

INC Ransom emerged in mid-2023 and has been one of the most prolific ransomware-as-a-service (RaaS) operations. Lynx was likely released as an updated variant a year later.

Related: BlueHammer Vulnerability Exploited in Ransomware Attacks

Related: New ‘Mistic’ RAT Opens Door to Several Ransomware Families

Related: Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack

Related: FBI: Cybercrime Losses Neared $21 Billion in 2025

Related Content

Cybercrime

Using a custom sniffer, the threat actor has captured over 110 million credentials since at least February 2026.

Network Security

A database of over 86,000 confirmed working credentials was created during the credential-harvesting campaign.

Malware & Threats

The large-scale credential theft campaign hit roughly half of the internet-accessible Fortinet firewalls and VPNs.

Vulnerabilities

SOCRadar has detected 30,000 compromised Fortinet firewalls that expose networks to hacking. 

Vulnerabilities

Two OS command injection flaws can be exploited remotely, without authentication, for arbitrary code execution.

Vulnerabilities

Successful exploitation of these flaws could lead to arbitrary code execution and information disclosure.

Vulnerabilities

The flaws could allow attackers to bypass authentication or execute arbitrary code or commands via HTTP requests.

Network Security

The improper access control bug in FortiClient EMS allows unauthenticated attackers to execute arbitrary code remotely.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version