logo

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

ID: 62e03e38-5ac0-5c58-a958-9a08abb5c5b0

STIX ID: report--62e03e38-5ac0-5c58-a958-9a08abb5c5b0

Feed Name: The Hacker News

Threat Score
88/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: [email protected] (The Hacker News)

...
...

SOCRadar uncovered the financially motivated 'FortiBleed' campaign that scanned and compromised internet-facing FortiGate devices at scale, deployed a Golang packet sniffer to harvest credentials (reportedly gathering ~110 million credentials and targeting ~430,000 devices), and enabled follow-on intrusions including at least 12 ransomware deployments linked to INC and Lynx; the program also exposed operational infrastructure, showed possible targeting of Citrix and Nextcloud (including a claimed Nextcloud zero-day), and coincided with exploitation of CVE-2026-35616 to deploy the EKZ Stealer.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.