Threat Intelligence / ransomware / TL-2026-1118FortiBleed Credential Theft Campaign Linked to INC and Lynx Ransomware Operations — Threadlinqs Intelligence Threat ID: TL-2026-1118 · Severity: CRITICAL · Status: ACTIVE · Category: RANSOMWARE
Attribution: FortiBleed Initial Access Broker · Russia · FINANCIAL
A financially motivated, Russian-speaking initial access broker operation dubbed FortiBleed has harvested over 110 million credentials from roughly 430,000 targeted FortiGate firewalls since February
FortiBleed is a large-scale, ongoing credential-compromise campaign against internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, active since at least February 2026 and traced back to reconnaissance/brute-force activity as early as January 11, 2026. The operation is run by a Russian-speaking, financially motivated initial access broker (IAB) — tooling recovered from the actors' infrastructure contains Cyrillic-language code comments and was hosted across a network of loosely regulated Eastern European micro-hosting providers. The campaign does not rely on a single novel remote-code-execution vulnerability; instead it chains credential stuffing, password spraying, FortiGate configuration-file harvesting, offline hash cracking, and passive post-authentication traffic capture into a repeatable 'credential factory'.
The core tool is a Go-based ELF/PE binary that identifies itself internally as CyberStrike Harvester v1.5 (also reported publicly under the name FortigateSniffer or fg_sniffer). Once deployed to a compromised FortiGate appliance, it abuses the device's own built-in diagnostic command `diagnose sniffer packet` to passively capture authentication traffic traversing the firewall across roughly two dozen protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM. Captured traffic is converted to `.pcapng` via an internal 'SNIFTRAN' engine and parsed for cleartext passwords, NTLMv2 hashes, Kerberos TGS/AS-REP tickets, and session cookies. Sniffing windows are restricted by GeoIP-based filtering (an `ipgeo.csv` reference dataset) to 07:00–18:00 Moscow time, consistent with an operator working shift pattern. Companion tools `mpbrute2.bin` (SSH brute-forcing using 16 product-specific wordlists, ~90% validation success across 6,127 devices) and `forticheck` (up to 25,000-thread SSL-VPN portal brute-forcing) round out the credential-acquisition pipeline; a 237,330-entry dump of validated FortiGate SSH credentials (`ssh.txt`) was recovered from operator infrastructure.
The technical root cause enabling mass credential exposure is Fortinet's historical use of legacy SHA-256 hashing for locally stored administrator credentials. FortiOS 7.2.11, 7.4.8, and 7.6.1 introduced PBKDF2-based hashing, but administrators who upgraded without subsequently logging in retained the weaker legacy hash, leaving those credentials crackable offline via the operators' Hashcat/Hashtopolis cracking farm. Separately, the FortiBleed ecosystem is linked to active exploitation of several Fortinet CVEs used for initial network access and follow-on credential theft: the historic FortiOS SSL-VPN pre-auth/heap-overflow chain (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762), the January 2026 FortiCloud SSO authentication-bypass zero-day (CVE-2026-24858, CISA KEV-listed 2026-01-27), and the CISA KEV-listed FortiClient EMS improper-access-control flaw (CVE-2026-35616, added 2026-04-06) that was used from May 2026 onward to push the EKZ Stealer — a Chromium/Firefox credential- and cookie-stealing infostealer — disguised as a legitimate Fortinet endpoint update executed via PowerShell.
Where harvested credentials granted network access, operators pivoted using `openfortivpn` tunnels and Impacket-based tooling to enumerate Active Directory, validate Kerberos tickets, authenticate over SMB, check administrative shares, and collect data from SMB/DFS shares. In at least one confirmed case, a Turkish NATO-aligned defense contractor had DFS backup data exfiltrated within minutes of Kerberos hashes being cracked offline. A persistent backdoor local account named 'adminin' was observed created on compromised systems. Scanning activity was tracked against roughly 11,250 FortiGate portals across 150+ countries (later analysis broadened this to 194 countries and 21,000+ unique domains), with confirmed admin-level access on 409 targets and full domain compromise (VPN + domain-controller + domain-admin access) achieved on 354 of
Weaknesses (CWE) CWE-287, CWE-288, CWE-522, CWE-306, CWE-798, CWE-787, CWE-122
Target sectors: itservices, government administration, defense, finance, health, manufacturing, telecoms, automotive, technology, managedserviceproviders
Target regions: Global, North America, Europe, Asia-Pacific, Middle East
Detections & IOCs This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 25 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans .
RANSOMWARE, CRITICAL, threat intelligence, cybersecurity, CVE-2026-35616, CVE-2026-24858, CVE-2024-21762, CVE-2023-27997, CVE-2022-42475, T1595, T1589, T1583, T1587, T1588, T1584, T1190, T1078, T1133, T1059