If your firm runs internet-facing FortiGate firewalls, the FortiBleed campaign is now directly tied to two active ransomware crews. Researchers at SOCRadar have connected the mass credential theft to INC Ransom and Lynx, and this connection matters because it turns stolen firewall credentials from a data-loss concern into a full ransomware event. (Source: The Hacker News)
Here is the chain in plain terms. The operators scanned the internet for exposed Fortinet devices, tried known credential combinations to get in, then dropped a custom Golang packet sniffer that quietly reads authentication data straight off network traffic. SOCRadar estimates that sniffer landed on roughly 12,000 Fortinet devices — a subset of the far larger population the attackers touched.
The scale of the operation is what stands out.
The campaign is assessed to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process.
Those numbers came to light after an operational security slip left an attacker server exposed on the internet. From there, SOCRadar tracked scanning against about 11,250 FortiGate portals across more than 150 countries, confirmed admin-level access on 409 targets, and the full attack chain completing on 354 of them. At least 12 ransomware deployments have followed, encrypting hundreds of endpoints across the victims.
The link to ransomware is not circumstantial. An operator with access to FortiBleed infrastructure was found logged into both the INC Ransom and Lynx negotiation panels, and victims listed by INC Ransom overlap with data harvested in the campaign. In practical terms, credentials pulled off your firewall can lead directly to encrypted servers and a ransom demand.
Separately, eSentire reported threat actors exploiting CVE-2026-35616 (CVSS 9.1) in Fortinet FortiClient EMS to deploy an information stealer called EKZ Stealer against an energy, utilities, and waste-sector customer, harvesting credentials from Chromium-based browsers and Firefox. Manufacturing, technology, and logistics firms in Latin America and Asia Pacific have drawn the most attention so far.
Attack Chain: From Credential Theft to Ransomware Deployment
The FortiBleed attack chain doesn't jump straight to encryption. It moves through discrete, repeatable stages that a single operator can run at scale, and the recent EKZ Stealer activity shows how a fresh Fortinet flaw feeds that same pipeline.
The entry point in the newer incident is CVE-2026-35616, a critical flaw (CVSS 9.1) in Fortinet FortiClient EMS. According to eSentire, threat actors exploited it against a customer in the energy, utilities, and waste sector to deploy EKZ Stealer. The stealer's job is narrow and specific: pull saved credentials from Chromium-based browsers and Firefox, then push them out over PowerShell.
That exfiltration method matters for hunting. When credentials leave a host through powershell.exe making outbound connections, that's a network pattern worth flagging - a browser credential store has no legitimate reason to be read and shipped out by a scripting host. This maps to MITRE ATT&CK T1555.003 (Credentials from Web Browsers) and T1059.001 (PowerShell).
The FortiBleed campaign proper follows a parallel logic but at a different layer. Where EKZ Stealer scrapes a single endpoint, the operators behind FortiBleed harvested authentication data straight off firewall traffic. Of roughly 11,250 FortiGate portals scanned across more than 150 countries, the operators confirmed admin-level access on 409 targets and completed the full attack chain on 354 of them.
That gap between access and full completion is the operational reality of this crew. Getting in is not the same as monetizing, and their conversion rate tells you these are deliberate, staged intrusions rather than spray-and-pray.
At least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.
The handoff from access to ransomware runs through the operator identified in both INC Ransom and Lynx negotiation panels. Victims listed by INC Ransom overlap with data from the FortiBleed campaign, which is the direct evidence linking harvested firewall credentials to actual deployment. For an incident responder, that overlap means a FortiGate compromise in your environment isn't a standalone credential-loss event - it's a plausible precursor to encryption by either group.
The staging layer sits behind all of this. SOCRadar's visibility came from one of about 200 servers tied to the infrastructure, and the exposed staging box held the operational guts of the campaign:
- Target inventories - curated lists of internet-facing appliances to hit
- Harvested data - the collected credentials awaiting verification
- Automation scripts and configuration files - the tooling that runs scanning and collection without manual effort
- Operational artifacts - logs and documentation coordinating the effort
SOCRadar's Ensar Seker was explicit that this server was backend coordination infrastructure, not something victims ever touched directly. It was neither a phishing host nor an active collection point - it staged and directed the work happening elsewhere.
Two forward indicators tell you where this pipeline is heading. The operators hold at least one zero-day in Nextcloud, with SOCRadar coordinating disclosure with the vendor. They also maintain Citrix-related target lists covering about 29,000 IP addresses and 37 domains, which points to the same automated workflow being repointed at other remote-access technologies.
The takeaway for responders: this isn't a one-vulnerability problem. It's a modular pipeline - initial access via a firewall or EMS flaw, credential extraction by tooling like EKZ Stealer or a traffic sniffer, verification on staging infrastructure, then handoff to INC or Lynx for deployment. Any single stage you catch breaks the chain before encryption.
Operational and Financial Impact on Energy, Utilities, and Manufacturing
When SOCRadar confirmed that stolen firewall credentials fed directly into ransomware deployments, the calculus for your organization shifted. This is no longer a question of whether some passwords leaked. If you operate in manufacturing, technology, logistics, energy, or utilities, an attacker with valid admin access to your perimeter can move into operational systems on your own terms, using your own credentials.
Consider the sectors the operators singled out: manufacturing, technology, and logistics across Latin America and Asia Pacific. These aren't random targets. They share tight production schedules, thin recovery windows, and customers who penalize delays.
For a manufacturer, a ransomware event that reaches shop-floor controls means production stops. When your lines are idle, you're not just losing the hours of downtime — you're losing raw material already in process, missing delivery commitments, and paying staff to wait. The attackers know that a plant losing revenue every hour it stays encrypted is more likely to pay quickly.
Logistics operators face a similar squeeze through different pressure. Your business runs on service-level agreements. Encrypted warehouse management or dispatch systems mean shipments sit undelivered, and every missed SLA carries contractual penalties and eroded customer trust. The recovery timeline becomes the business problem, not the encryption itself.
The energy and utilities angle sharpens the stakes further. The confirmed EKZ Stealer intrusion hit a customer in the energy, utilities, and waste sector, harvesting browser-stored credentials. In that world, credential theft that leads to service interruption isn't only a commercial loss.
- NERC CIP reporting: Utilities subject to Critical Infrastructure Protection standards must document and report cyber incidents affecting bulk electric system reliability. A ransomware event tied to compromised perimeter access can trigger mandatory disclosure and audit scrutiny.
- Service interruption liability: Interrupted utility service exposes you to regulatory penalties and customer notification obligations that commercial firms don't carry.
- Extended recovery: Operational technology environments are harder to restore than IT systems, because you cannot simply reimage a controller mid-process without validating safety.
For technology firms, the exposure is intellectual property and customer data. If attackers hold admin access to your firewall and gather authentication data off your network traffic, they can reach source code repositories, product roadmaps, and the credentials your own customers trust you to protect. A breach here propagates downstream to everyone who relies on your service.
SOCRadar tracked confirmed admin-level access on 409 targets and completion of the full attack chain on 354 of them, with at least 12 ransomware deployments resulting in hundreds of encrypted endpoints across affected organizations.
That ratio matters to your risk planning. The operators aren't spraying encryption everywhere — they verify access first, then hand qualified victims to INC Ransom and Lynx for follow-on extortion. If your organization ends up in that qualified pool, you're negotiating with a crew that already knows exactly what they hold.
The payment pressure is deliberate. When your endpoints are encrypted and you're weighing whether to pay, the attackers are counting on your downtime costs, contractual penalties, and regulatory clocks to push you toward the ransom. Recovery from tested offsite backups changes that math, but recovery still takes time you have to account for in advance.
The reconnaissance signal for Citrix environments — a target list of roughly 29,000 IP addresses and 37 domains — tells you the same operational playbook is being prepared against other remote access technologies. If your firm runs internet-facing Citrix alongside Fortinet, treat your exposure as broader than a single vendor's appliances.
Detection and Immediate Response Actions
Start with your Fortinet perimeter. The most urgent action is confirming that every internet-facing FortiClient EMS instance has the fix for CVE-2026-35616 (CVSS 9.1) applied, and that no active exploitation is already underway. Pull the fixed build from Fortinet's advisory for your appliance generation rather than assuming a version number, then verify the patch actually took by checking the running build against the advisory.
Organizing your response around the five functions of the NIST Cybersecurity Framework keeps the work in priority order without leaving gaps.
Identify
Inventory every FortiGate and FortiClient EMS device reachable from the internet. Map which administrative accounts touched those devices, because those are the credentials most likely already harvested. Cross-reference your external IP ranges against the reconnaissance patterns tied to this activity so you know whether your appliances sit in a likely target set.
Protect
Reset credentials for any account that authenticated through an exposed Fortinet device, and treat local admin passwords and API keys as compromised until proven otherwise. Then:
- Enforce MFA on all firewall administrative and VPN accounts, not just user logins.
- Rotate service-account credentials that traversed monitored network segments, since the passive sniffer reads authentication data straight off traffic.
- Restrict management interfaces to internal networks or a hardened jump host, removing direct internet exposure of admin portals.
Detect
Hunt for the information-stealer behavior described earlier: PowerShell processes reading Chromium and Firefox credential stores, then making outbound connections to exfiltrate that data. In environments Capstone manages, SentinelOne flags this browser-credential harvesting and the scripted exfiltration that follows it before the collected data leaves the host.
For the network side, watch for a Go-compiled process on Fortinet appliances that shouldn't run one, and for unexpected packet-capture activity. Review authentication logs for logins from geographies matching the operators' working hours and for admin sessions that don't correlate with your change records.
SOCRadar confirmed admin-level access on 409 targets and full attack-chain completion on 354 of them, with at least 12 ransomware deployments and hundreds of endpoints encrypted as a result.
Respond
If you find harvested credentials or sniffer artifacts, isolate the affected appliance and any hosts that authenticated through it before rotating credentials again from a clean path. Hunt for lateral movement using the reset accounts — valid credentials mean an intruder moves with legitimate permissions, so look at authentication behavior, not malware signatures.
Adlumin ITDR monitors authentication patterns across managed environments, correlating impossible-travel logins, off-hours admin access, and MFA prompt anomalies that indicate stolen firewall credentials being reused deeper in the network. That identity-layer signal is often the first evidence of movement toward ransomware staging.
- Isolate systems showing ransomware precursor behavior: mass file enumeration, shadow-copy tampering, or bulk endpoint encryption attempts.
- Review MFA and VPN logs for prompt bombing or session anomalies tied to reset accounts.
- Preserve firewall configuration files and logs before reimaging, since they document what the operators accessed.
Recover
Because this access has already produced encryption events across affected organizations, confirm you hold tested, offsite backups that an intruder with firewall access cannot reach or delete. N-able Cove maintains cloud-isolated backup copies in managed environments, keeping restore points separated from the production network an attacker would move through.
After restoration, segment your network so a single set of compromised firewall credentials no longer opens a path across the whole estate. Given the reconnaissance already staged against Citrix environments — a target list of roughly 29,000 IP addresses and 37 domains — treat any internet-facing remote-access technology the same way: verify authentication logs, rotate exposed credentials, and enforce MFA before this workflow gets repurposed against it.
Patching and Credential Management Strategy
Start with your edge devices. The CVE-2026-35616 flaw in Fortinet FortiClient EMS (CVSS 9.1) sits on the same product family that FortiBleed operators already scan at scale, so any internet-facing management instance is your first patch target. Apply the fixed build listed in Fortinet's advisory for your specific appliance generation rather than assuming a version number, and confirm the running build matches the advisory after the upgrade completes.
Sequence the rollout by exposure. Edge devices and any FortiClient EMS console reachable from the internet should be patched within 24 to 48 hours. Internal firewalls and management servers that sit behind the perimeter can follow over the next week, once you have confirmed the edge tier is clean.
Pre-Patch Validation and Rollback
Before you touch a production console, snapshot the appliance configuration and export the current running config to an offline location. This gives you a known-good restore point if the upgrade fails or introduces a regression in policy enforcement.
- Validate the patch in a staging or lab instance first, checking that VPN, authentication, and policy pushes still work as expected.
- Record the current firmware build and license state so you can confirm the upgrade actually applied rather than silently rolling back.
- Keep the prior firmware image available so you can revert quickly if the new build breaks endpoint enrollment or client connectivity.
- Schedule the internal-tier patches during a maintenance window, but do not delay the edge tier waiting for one.
Credential Hygiene After Exposure
Patching closes the door, but any credentials that passed through a compromised Fortinet device should be treated as already collected. FortiBleed's sniffer reads authentication data straight off network traffic, which means a valid password is no longer proof of a trusted session. Force a reset for every account that could have authenticated through an affected appliance, prioritizing administrative and service accounts.
Audit privileged account activity across the last 90 days. Look for logins outside normal working hours, access from unfamiliar geographies, and administrative actions that don't map to a known change. The operators behind this campaign use valid credentials to move quietly, so anomalies in your own logs are often the first honest signal you get.
The campaign is assessed to have gathered over 110 million credentials from FortiGate firewalls globally — assume any password that crossed an exposed appliance is in an attacker's hands.
Where you can, move privileged and remote-access accounts toward passwordless authentication. Hardware-backed keys and certificate-based logins remove the static secret that a passive sniffer relies on, so even a full traffic capture yields nothing reusable. This matters most for the administrative accounts that grant control over your perimeter.
Adlumin ITDR monitors authentication patterns across managed environments, catching the login anomalies and impossible-travel events that signal stolen firewall credentials being reused before an intruder reaches internal systems. Pair that identity monitoring with the credential resets above so a rotated password is enforced and watched, not just changed on paper.
For firms running internet-facing Citrix alongside Fortinet, apply the same discipline preemptively: rotate exposed credentials, enforce MFA on remote access, and review authentication logs for anomalous logins. The reconnaissance activity SOCRadar documented against Citrix environments is a signal to close those gaps before the same automated workflow turns toward them.
Monitoring for Post-Compromise Activity and Ransomware Staging
The FortiBleed operation runs through a predictable sequence of behaviors, and each stage leaves distinct signals in your telemetry. Because the operators use valid credentials harvested from network traffic, the loudest indicators aren't malware signatures — they're anomalies in how those credentials get used.
Start with the passive collection stage. The Golang packet sniffer that landed on roughly 12,000 Fortinet devices runs as an unexpected process on appliances that shouldn't be executing custom binaries. On a normally locked-down firewall, any process reading raw network traffic outside the vendor's own daemons is worth flagging. This matters because a sniffer that silently reads authentication data gives an operator credentials you never see cross a login prompt.
The credential-abuse stage is where behavioral baselining earns its keep. Map to MITRE ATT&CK T1078 (Valid Accounts) and hunt for authentication patterns that don't match your users:
- Failed logins followed by a successful one from an unusual source — a burst of authentication attempts resolving into a clean login from a geography or ASN your admins never originate from.
- Admin sessions outside established working hours — SOCRadar tied this activity to a Russian-speaking operator, so successful administrative logins during that operator's working hours rather than your team's are a signal.
- Concurrent sessions for a single admin account from two separated locations, which valid credentials make trivial and which no legitimate user generates.
The business translation: because the attacker holds working credentials, the firewall and directory treat their session as legitimate. Detection has to come from the context of the login — where, when, and how — not from a blocked password.
For the EKZ Stealer branch tied to CVE-2026-35616, the detection logic shifts to endpoint and network behavior. EKZ Stealer harvests saved credentials from Chromium-based browsers and Firefox, then pushes them out over PowerShell. Two behaviors stand out:
- PowerShell processes making outbound connections shortly after touching browser credential stores — the exfiltration path eSentire observed against the energy, utilities, and waste customer.
- Non-browser processes reading browser profile data, which maps to T1555.003 (Credentials from Web Browsers) and rarely has a benign explanation on a server.
Watch for the pivot to lateral movement (moving from the compromised perimeter into internal systems using the harvested accounts). SOCRadar confirmed at least 12 ransomware deployments flowing from this access, so the window between initial credential use and encryption is short. Track first-time admin authentications to internal hosts a compromised account has never touched.
The ransomware staging stage produces the most concrete host indicators. Before INC Ransom or Lynx payloads encrypt, operators typically clear recovery options. Alert on shadow copy deletion, backup catalog tampering, and mass file-modification bursts across a share in a short interval — the signature of encryption in progress mapped to T1490 (Inhibit System Recovery) and T1486 (Data Encrypted for Impact).
SOCRadar confirmed admin-level access on 409 targets and full attack-chain completion on 354, with at least 12 ransomware deployments encrypting hundreds of endpoints.
Because the same operators maintain a target list of roughly 29,000 IP addresses and 37 domains tied to Citrix environments, the credential-abuse baselines you build for Fortinet should extend to your Citrix authentication logs. The workflow that automated collection against one remote-access technology can be repointed at another, and the anomalous-login signatures look much the same.
Key Actions for the Next 48 Hours
The through-line of the FortiBleed investigation is that stolen firewall credentials are already being verified and handed off for ransomware deployment. SOCRadar tracked scanning against roughly 11,250 FortiGate portals in more than 150 countries, with confirmed admin-level access on 409 targets and the full attack chain completed on 354 of them.
That is the takeaway for you: credentials pulled from your Fortinet perimeter aren't sitting idle in a dump. An operator with FortiBleed infrastructure access was logged into active negotiation panels, which means access to your environment can convert to encryption without a separate breach.
At least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.
The single most important action is to confirm the patch status of every Fortinet device tied to CVE-2026-35616 against the vendor's advisory, then rotate every credential that traversed or was managed through those devices. That one step closes the passive collection window and invalidates the authentication data these operators depend on for follow-on entry.
For security teams, the practical scope extends beyond Fortinet. SOCRadar identified a target list of roughly 29,000 IP addresses and 37 domains tied to Citrix environments, so credential rotation should cover any internet-facing remote access technology reachable through the same automated workflow.
For business leadership, the relevant fact is that manufacturing, technology, logistics, energy, and utilities organizations have been singled out, and these sectors carry thin recovery windows. Reviewing your business continuity plans now — while access is being reset rather than after encryption — keeps a credential exposure from becoming an operational outage you manage under pressure.