FortiBleed Credential Theft Campaign: FortigateSniffer Tool Deployed Against 430,000+ FortiGate Firewalls, Linked to INC Ransom and Lynx Ransomware — Threadlinqs Intelligence
Threat ID: TL-2026-1124 · Severity: CRITICAL · Status: ACTIVE · Category: RANSOMWARE
Attribution: INC Ransom · Russia · FINANCIAL
A Russian-speaking initial access broker ran a large-scale credential-harvesting operation dubbed 'FortiBleed' that combined reused credentials, mass brute-force, and a custom Golang packet-sniffing
FortiBleed is an operational credential-theft campaign, not a single CVE. Security researcher Volodymyr "Bob" Diachenko first identified the operation on 2026-06-13 after discovering a publicly exposed threat-actor server hosting a structured database of validated FortiGate administrator and VPN credentials alongside the group's attack tooling. Within 48 hours, Recorded Future, Field Effect, SOCRadar, Hudson Rock, Bitsight, and Arctic Wolf independently validated portions of the dataset, and by 2026-06-19 the confirmed tally of devices with verified working credentials had grown to 86,644 across 194 countries. Fortinet's PSIRT publicly stated the activity is 'not a new Fortinet vulnerability,' attributing it instead to credential reuse tied to prior advisories FG-IR-26-060 and FG-IR-25-647, combined with brute-force attacks against devices lacking strong passwords and MFA. Independent researchers additionally note that a meaningful share of the original leaked configuration files plausibly trace back to historically exploited FortiOS SSL-VPN/administrative-interface flaws -- CVE-2022-40684 (authentication bypass), CVE-2023-27997 'XORtigate' (heap buffer overflow), and CVE-2024-21762 (SSL VPN out-of-bounds write) -- all of which allowed unauthenticated attackers to pull FortiGate configuration files (and thus stored credential hashes) from unpatched, internet-facing devices in prior exploitation waves dating back to 2022.
Once credentials were reused or brute-forced onto a device (SSH brute-force with 16 wordlists and SSL-VPN credential stuffing at up to 25,000 threads yielded 237,330 valid credentials in one tracked pipeline), operators deployed FortigateSniffer, a Golang binary compiled for both Linux and Windows with an entirely Russian-language interface. The tool abuses the legitimate FortiOS diagnostic command 'diagnose sniffer packet' to passively capture authentication traffic across roughly two dozen protocols -- Kerberos, RADIUS, NTLM, RDP, LDAP, MSSQL, SMB, FTP, Telnet, and WinRM among them -- without dropping any traditional malware on the appliance. Captured SSH terminal output is converted to .pcapng via an internal 'SNIFTRAN' conversion engine and processed through a 'PCAP Deep Analysis Toolkit (v5.0)' that extracts cleartext credentials, NTLM hashes, Kerberos tickets, and session cookies. To minimize detection, the sniffer only runs 07:00-18:00 Moscow Time and applies GeoIP-based filtering via a binary-search-optimized ipgeo.csv allow/deny list, blending malicious capture windows into normal business-hours traffic patterns.
A compounding weakness is FortiGate's legacy SHA-256-with-salt admin credential hashing, which is comparatively crack-friendly versus the PBKDF2 hashing introduced in FortiOS 7.2.11, 7.4.8, and 7.6.1; critically, upgrading FortiOS alone does not rehash an existing admin's password to PBKDF2 until that admin logs in again post-upgrade, leaving legacy hashes crackable indefinitely on unrefreshed accounts. Operators ran offline cracking on a 45-node Hashtopolis/Hashcat GPU cluster, dynamically renting additional compute from vast.ai and orchestrating cracking jobs through a Telegram bot. An internal tracking document recovered from one of roughly 200-500 operational servers revealed an organized structure of about 20 people with defined roles: a small core of primary operators driving high-impact intrusions, dedicated technical specialists, and a back-office layer of junior operators. Post-compromise activity included creation of persistent backdoor admin accounts (observed names: adminin, support, ssl-admin, svc_monitor, forticloud, fortiuser, fortinet-support, fortinet-tech-support), Kerberoasting and RC4 ticket cracking for lateral movement, and staged exfiltration of DFS backup shares -- including a confirmed 2026-06-15 exfiltration event against a NATO-affiliated defense contractor.
SOCRadar's whitepaper 'Dismantling FortiBleed' establishes that campaign infrastructure produced 409 targe
Weaknesses (CWE)
CWE-287, CWE-122, CWE-787, CWE-522, CWE-798
Target sectors: government administration, telecoms, financial services, health, manufacturing, technology, energy, transportation and logistics, agriculture, defense industrial base
Target regions: Global (194 countries), North America, Europe, Asia-Pacific, india, united states of america
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
RANSOMWARE, CRITICAL, threat intelligence, cybersecurity, CVE-2022-40684, CVE-2023-27997, CVE-2024-21762, T1595, T1596, T1591, T1583, T1583, T1588, T1588, T1078, T1078, T1190