Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
FortiBleed Credential Theft Ties Ransomware to INC and Lynx

FortiBleed Credential Theft Ties Ransomware to INC and Lynx

Posted on July 2, 2026 By CWS

The recent FortiBleed campaign, driven by financial motives, has unveiled its connection to INC and Lynx ransomware groups. This operation, which involves the theft of credentials, highlights the intent to use these credentials for subsequent attacks.

Ransomware Operations Unveiled

A report by SOCRadar revealed that an operator linked to FortiBleed’s infrastructure was engaging in negotiation activities for both the INC and Lynx groups. This marks the first time that mass credential theft from FortiGate devices is directly associated with ransomware deployment.

SOCRadar tracked activities targeting around 11,250 FortiGate portals across more than 150 countries. The attackers successfully gained admin-level access on 409 targets and completed the attack chain on 354. Consequently, at least 12 ransomware deployments have been executed, encrypting hundreds of endpoints within affected organizations.

Global Impact and Methodology

The large-scale credential theft campaign was discovered last month. The attackers systematically scanned the internet for vulnerable Fortinet devices, using known credentials to breach them, and deployed custom packet sniffers to gather authentication data passively.

It’s estimated that 430,000 FortiGate firewalls were targeted globally, resulting in the collection of over 110 million credentials. The operation was exposed due to a security lapse by the attackers, leaving a server with stolen credentials accessible online.

Technical Insights and Threat Actor Profile

The Golang sniffer was installed on approximately 12,000 Fortinet devices, indicating a targeted subset of the overall network equipment. SOCRadar’s findings show that an operator with access to FortiBleed was logged into both INC and Lynx negotiation panels, with victim overlap evident.

The operation appears to be orchestrated by a Russian-speaking actor, likely an initial access broker, focusing on sectors like manufacturing, technology, and logistics in Latin America and the Asia Pacific.

Further insights reveal an organized effort involving about 20 individuals, with a clear division of roles. A core team of lead operators executes high-impact intrusions, supported by specialists and auxiliary staff.

Emerging Threats and Future Defense

In addition to the above, the attackers are suspected of possessing a zero-day vulnerability in Nextcloud. SOCRadar is actively coordinating with the affected vendor to address this issue.

This exposure follows eSentire’s observation of threat actors exploiting a vulnerability in Fortinet FortiClient EMS (CVE-2026-35616) to deploy EKZ Stealer, targeting credentials from various browsers via PowerShell.

The unfolding developments emphasize the need for vigilant cybersecurity measures and proactive threat intelligence collaboration to mitigate such risks in the future.

The Hacker News Tags:credential theft, cyber threats, Cybersecurity, FortiBleed, Fortinet, Golang sniffer, INC, Lynx, network security, Ransomware, SOCRadar, zero-day vulnerability

Post navigation

Previous Post: New Browser-Based Ransomware Targets Android Photos
Next Post: Trump Lifts Ban on Anthropic AI Models Amid Security Concerns

Related Posts

Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads The Hacker News
Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns The Hacker News
Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models The Hacker News
30,000 Facebook Accounts Hacked in Phishing Scam 30,000 Facebook Accounts Hacked in Phishing Scam The Hacker News
New Browser Security Report Reveals Emerging Threats for Enterprises New Browser Security Report Reveals Emerging Threats for Enterprises The Hacker News
A New Security Layer for macOS Takes Aim at Admin Errors Before Hackers Do A New Security Layer for macOS Takes Aim at Admin Errors Before Hackers Do The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Cisco Addresses Active Exploitation of Unified CM Flaw
  • JetBrains Security Flaws Risk Code Execution and Account Breach
  • Trump Lifts Ban on Anthropic AI Models Amid Security Concerns
  • FortiBleed Credential Theft Ties Ransomware to INC and Lynx
  • New Browser-Based Ransomware Targets Android Photos

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Cisco Addresses Active Exploitation of Unified CM Flaw
  • JetBrains Security Flaws Risk Code Execution and Account Breach
  • Trump Lifts Ban on Anthropic AI Models Amid Security Concerns
  • FortiBleed Credential Theft Ties Ransomware to INC and Lynx
  • New Browser-Based Ransomware Targets Android Photos

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark