FortiBleed Campaign Linked to INC and Lynx Ransomware Operations, Exposing Coordinated Threat
A new report by **SOCRadar** has directly linked the large-scale **FortiBleed** credential-harvesting campaign to the **INC Ransom** and **Lynx** ransomware operations. This connection marks the first time that mass **FortiGate** credential theft has been definitively tied to subsequent ransomware deployments, highlighting a sophisticated and coordinated threat landscape.

The financially motivated **FortiBleed** campaign, which surfaced last month, involved threat actors systematically scanning the internet for exposed **Fortinet** devices. They leveraged known credential combinations to breach these devices, subsequently deploying custom packet sniffers to harvest credentials and other authentication data from network traffic.
### Direct Link to Ransomware Activity
**SOCRadar**'s investigation revealed an operator tied to **FortiBleed**'s infrastructure actively managing negotiation panels for both **INC Ransom** and **Lynx**. This crucial discovery directly connects the stolen **FortiGate** credentials to ransomware deployment, a significant development in understanding the attack chain.
Approximately 11,250 **FortiGate** portals across more than 150 countries were scanned. Of these, **SOCRadar** confirmed admin-level access on 409 targets, with the full attack chain successfully completed on 354. At least 12 ransomware deployments have resulted from this access, leading to hundreds of endpoints being encrypted within affected organizations.
### Scale of the Operation
The campaign is estimated to have targeted 430,000 **FortiGate** firewalls globally, accumulating over 110 million credentials. The operation came to light due to an operational security error, where a server containing credentials stolen from thousands of **Fortinet** appliances was left exposed on the internet.
Around 12,000 **Fortinet** devices are believed to have had the **Golang** sniffer installed, a subset of the total targeted networking gear.
### Exposed Infrastructure and Threat Actor Profile
**SOCRadar**'s findings are based on insights gained from one of 200 newly discovered servers associated with the **FortiBleed** infrastructure. This server provided visibility into internal files, logs, and operational documentation.
**Ensar Seker**, Chief Information Security Officer at **SOCRadar**, confirmed that the exposed server served as a staging and operational coordination hub. It contained target inventories, harvested data, automation scripts, configuration files, and other operational artifacts, indicating its role in coordinating large-scale credential harvesting rather than direct victim interaction.
Analysis of tooling, logs, and working hours suggests that the activity is orchestrated by a Russian-speaking threat actor, likely operating as an initial access broker. The primary targets include manufacturing, technology, and logistics sectors, particularly in Latin America and the Asia Pacific regions.
**SOCRadar** also uncovered an internal document indicating an organized operation involving approximately 20 individuals with a clear division of labor. A small core of lead operators drives high-impact intrusions, supported by specialists and staff.
### Beyond Fortinet: Zero-Days and Citrix Targeting
The threat actors are also believed to possess at least one zero-day vulnerability in **Nextcloud**, for which **SOCRadar** is coordinating with the affected vendor.
Furthermore, **Citrix**-related artifacts were identified, suggesting the campaign extends beyond **Fortinet** devices. The infrastructure included a dedicated target list of approximately 29,000 IP addresses and 37 domains associated with **Citrix** environments. This indicates the automated workflow could be repurposed for other remote access technologies.

While the presence of these target lists doesn't conclusively prove large-scale credential harvesting against **Citrix** devices has occurred, it demonstrates clear reconnaissance and targeting preparations. **Seker** advises organizations using internet-facing **Citrix** infrastructure to treat this as an early warning: verify authentication logs, rotate exposed credentials, enforce MFA, and monitor for anomalous login activity.
### Related Fortinet Vulnerability Exploitation
This disclosure coincides with a report from **eSentire**, which observed threat actors exploiting a flaw in **Fortinet FortiClient EMS** (**CVE-2026-35616**, CVSS score: 9.1). This vulnerability was used to deploy an information stealer named **EKZ Stealer** against a customer in the energy, utilities, and waste sector. The objective was to harvest credentials from **Chromium**-based browsers and **Firefox**, exfiltrating them via **PowerShell**.