FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
ID: 62e03e38-5ac0-5c58-a958-9a08abb5c5b0
STIX ID: report--62e03e38-5ac0-5c58-a958-9a08abb5c5b0
Feed Name: The Hacker News
SOCRadar uncovered the financially motivated 'FortiBleed' campaign that scanned and compromised internet-facing FortiGate devices at scale, deployed a Golang packet sniffer to harvest credentials (reportedly gathering ~110 million credentials and targeting ~430,000 devices), and enabled follow-on intrusions including at least 12 ransomware deployments linked to INC and Lynx; the program also exposed operational infrastructure, showed possible targeting of Citrix and Nextcloud (including a claimed Nextcloud zero-day), and coincided with exploitation of CVE-2026-35616 to deploy the EKZ Stealer.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
