logo

FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs

ID: bd1a332f-6770-556a-a634-11f52afb070d

STIX ID: report--bd1a332f-6770-556a-a634-11f52afb070d

Feed Name: Dark Reading

Threat Score
88/100

Date Published: 2026-07-02

Date Updated: 2026-07-03

Author: Rob Wright

...
...

SOCRadar uncovered a large-scale FortiGate credential-harvesting campaign dubbed “FortiBleed” that installed a Golang-based sniffer on thousands of firewalls, enabling an IAB operation to collect admin credentials and sell or hand off access to ransomware groups (Inc and Lynx). Researchers reported ~430,000 FortiGate devices targeted, ~12,000 compromised with the sniffer, admin-level access on 409 targets (full domain compromise on 354), at least 12 confirmed ransomware deployments, and exploitation of an undisclosed Nextcloud zero-day to expand access.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.