- Credential theft campaign FortiBleed is now linked to INC and Lynx ransomware operations, with stolen data used for follow-on attacks.
- Threat actors targeted ~11,250 FortiGate portals, gained admin access to 409, and caused ransomware deployments on at least 12 organizations, encrypting hundreds of endpoints.
- The operation is run by a Russian-speaking group of about 20 people and has also potentially exploited a zero-day in Nextcloud.
- Separately, attackers are exploiting a Fortinet flaw (CVE-2026-35616) to deploy EKZ Stealer against energy sector targets.
A recently exposed cyber-espionage campaign, first discovered in mid-2026, has been definitively linked to ransomware syndicates, directly connecting mass credential theft to cyber extortion. Dubbed FortiBleed, this financially-motivated operation targeted hundreds of thousands of Fortinet devices worldwide to harvest over 110 million credentials for follow-on intrusions.
SOCRadar said an operator tied to the campaign’s infrastructure was found actively working negotiation panels for both the INC and Lynx ransomware groups. Consequently, threat actors scanned approximately 11,250 FortiGate portals and confirmed admin-level access on 409 targets, successfully completing the attack chain on 354 of them.
This access resulted in at least 12 ransomware deployments, which encrypted hundreds of endpoints across affected organizations. The large-scale operation involved deploying custom packet sniffers on compromised devices to passively gather authentication data from network traffic.
Tooling and logs indicate the activity is the work of a Russian-speaking threat actor operating as an initial access broker. An internal document suggests it’s an organized operation comprising about 20 people with a clear division of labor, “A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff.”
Furthermore, the threat actors are believed to be in possession of at least one zero-day vulnerability in Nextcloud. Meanwhile, eSentire observed separate actors exploiting a flaw in Fortinet FortiClient EMS (CVE-2026-35616) to deploy EKZ Stealer against a customer in the energy sector.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
