Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
FortiBleed Credential Theft Ties Ransomware to INC and Lynx

FortiBleed Credential Theft Ties Ransomware to INC and Lynx

Posted on July 2, 2026 By CWS

The recent FortiBleed campaign, driven by financial motives, has unveiled its connection to INC and Lynx ransomware groups. This operation, which involves the theft of credentials, highlights the intent to use these credentials for subsequent attacks.

Ransomware Operations Unveiled

A report by SOCRadar revealed that an operator linked to FortiBleed’s infrastructure was engaging in negotiation activities for both the INC and Lynx groups. This marks the first time that mass credential theft from FortiGate devices is directly associated with ransomware deployment.

SOCRadar tracked activities targeting around 11,250 FortiGate portals across more than 150 countries. The attackers successfully gained admin-level access on 409 targets and completed the attack chain on 354. Consequently, at least 12 ransomware deployments have been executed, encrypting hundreds of endpoints within affected organizations.

Global Impact and Methodology

The large-scale credential theft campaign was discovered last month. The attackers systematically scanned the internet for vulnerable Fortinet devices, using known credentials to breach them, and deployed custom packet sniffers to gather authentication data passively.

It’s estimated that 430,000 FortiGate firewalls were targeted globally, resulting in the collection of over 110 million credentials. The operation was exposed due to a security lapse by the attackers, leaving a server with stolen credentials accessible online.

Technical Insights and Threat Actor Profile

The Golang sniffer was installed on approximately 12,000 Fortinet devices, indicating a targeted subset of the overall network equipment. SOCRadar’s findings show that an operator with access to FortiBleed was logged into both INC and Lynx negotiation panels, with victim overlap evident.

The operation appears to be orchestrated by a Russian-speaking actor, likely an initial access broker, focusing on sectors like manufacturing, technology, and logistics in Latin America and the Asia Pacific.

Further insights reveal an organized effort involving about 20 individuals, with a clear division of roles. A core team of lead operators executes high-impact intrusions, supported by specialists and auxiliary staff.

Emerging Threats and Future Defense

In addition to the above, the attackers are suspected of possessing a zero-day vulnerability in Nextcloud. SOCRadar is actively coordinating with the affected vendor to address this issue.

This exposure follows eSentire’s observation of threat actors exploiting a vulnerability in Fortinet FortiClient EMS (CVE-2026-35616) to deploy EKZ Stealer, targeting credentials from various browsers via PowerShell.

The unfolding developments emphasize the need for vigilant cybersecurity measures and proactive threat intelligence collaboration to mitigate such risks in the future.

The Hacker News Tags:credential theft, cyber threats, Cybersecurity, FortiBleed, Fortinet, Golang sniffer, INC, Lynx, network security, Ransomware, SOCRadar, zero-day vulnerability

Post navigation

Previous Post: New Browser-Based Ransomware Targets Android Photos
Next Post: Trump Lifts Ban on Anthropic AI Models Amid Security Concerns

Related Posts

Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Code Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Code The Hacker News
FBI Alerts: Russian Hackers Phish WhatsApp, Signal Users FBI Alerts: Russian Hackers Phish WhatsApp, Signal Users The Hacker News
VECT 2.0 Ransomware Permanently Destroys Large Files VECT 2.0 Ransomware Permanently Destroys Large Files The Hacker News
OpenAI Unveils Codex Security for Vulnerability Detection OpenAI Unveils Codex Security for Vulnerability Detection The Hacker News
The 5 Golden Rules of Safe AI Adoption The 5 Golden Rules of Safe AI Adoption The Hacker News
Enterprise AI Usage: Risks Centralized Among Power Users Enterprise AI Usage: Risks Centralized Among Power Users The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Trump Lifts Ban on Anthropic AI Models Amid Security Concerns
  • FortiBleed Credential Theft Ties Ransomware to INC and Lynx
  • New Browser-Based Ransomware Targets Android Photos
  • AI-Driven Ransomware Attack Exploits Langflow Vulnerability
  • CISA Alerts on Critical SharePoint Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Trump Lifts Ban on Anthropic AI Models Amid Security Concerns
  • FortiBleed Credential Theft Ties Ransomware to INC and Lynx
  • New Browser-Based Ransomware Targets Android Photos
  • AI-Driven Ransomware Attack Exploits Langflow Vulnerability
  • CISA Alerts on Critical SharePoint Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark