logo

FortiBleed credential-theft campaign linked to Lynx ransomware

ID: fe37d094-9093-5d6f-8a25-289a73bb145f

STIX ID: report--fe37d094-9093-5d6f-8a25-289a73bb145f

Feed Name: Bleeping Computer

Threat Score
88/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

Author: Lawrence Abrams

...
...

SOCRadar's research links the large-scale 'FortiBleed' credential-theft campaign — which exfiltrated FortiGate configs and credentials from tens of thousands of devices via a custom packet sniffer and exposed a server containing creds from 73,000+ devices — to the INC and Lynx ransomware operations; the investigation uncovered extensive infrastructure (hundreds of servers), persistent backdoor accounts, evidence of credential-stuffing/cracking activity, overlap with ransomware victim lists, and possible exploitation of a Nextcloud zero-day.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.