FortiBleed Threat Actor Link Identified
Breaking: Our Threat Research Team has linked the FortiBleed threat actor to the Lynx / INC ransomware group following extensive technical analysis and continuous monitoring.
Breaking: Our Threat Research Team has linked the FortiBleed threat actor to the Lynx / INC ransomware group following extensive technical analysis and continuous monitoring.
A newly reported malware campaign uses WhatsApp direct messages to deliver VBScript (VBS/VBE) attachments that look like routine business documents. If a recipient downloads and then opens the attachment in WhatsApp Desktop or WhatsApp Web, the script starts a staged infection chain that ends with the silent installation of a legitimate RMM/UEM product, specifically a preconfigured ManageEngine Endpoint Central agent.
If you manage Fortinet gear, grab a coffee. You're going to need it. ☕
Our Threat Research team just published a massive teardown of a Russian compromise operation we’re tracking as FortiBleed. Active since at least February 2026, these threat actors aren't just doing simple smash-and-grabs—they’ve built a highly automated, industrialized credential-harvesting machine.
There is a special kind of irony when your firewall is the exact thing stealing your data. Here is the TL;DR of what we found under the hood:
We’ve broken down the complete 5-stage attack chain—from initial recon and brute-force to harvesting, cracking, and exfiltration.
We also dropped all the IoCs and defensive recommendations so you can set up timely alerts and mitigate risks before your network becomes a statistic.
Dive into the full teardown to help strengthen your security posture: https://hubs.la/Q04mc0fJ0
Stay sharp out there. Let us know what you think of the attack chain in the comments. 👇
86,644 Fortinet firewalls across 194 countries have been compromised — and the operation is still active.
This isn't a Fortinet vulnerability or zero-day. Attackers are simply testing old leaked credentials against internet-facing FortiGate devices. One default password (admin3:123456) alone got into 2,500+ devices. Once inside, compromised devices silently harvest more credentials from network traffic, feeding them back into the scanner.
The stolen data hasn't hit Dark Web markets yet — but the database is already organized by revenue, sector, and headcount, ready for initial access resale.
If you run Fortinet gear: rotate credentials now, enable MFA, restrict management access, update firmware, and if you're confirmed in the dataset — engage incident response. A password change alone isn't enough.
Get your detailed guide on FortiBleed here: https://socradar.io/blog/what-is-fortibleed/
Check your exposure: socradar.io/free-tools/fortibleed
SOCRadar's Threat Research team found the live operational server of the threat actors behind FortiBleed. Here's a breakdown of the operation's actual scale based on what was recovered:
▸ 80,553 unique compromised Fortigate devices
▸ 59.3M hosts scanned across the internet
▸ ~437K FortiGate devices fingerprinted
▸ 856M+ SSH & 2.1B+ web-panel credential attempts
▸ 105M+ credentials harvested
No zero-day is involved. The attack chain relies entirely on unrotated default credentials and previously leaked passwords — accounts that were never changed after earlier Fortinet incidents.
SOCRadar has released a free checker backed by the most complete dataset assembled around this incident. You can look up any IP block or domain.
🔗 https://socradar.io/free-tools/fortibleed
Immediate recommended actions if you run any internet-facing Fortinet device:
- Rotate all admin and VPN credentials immediately, especially any unchanged since previous Fortinet incidents
- Enable MFA on every admin and remote access account
- Remove FortiGate management interfaces from direct internet exposure
- Review gateway and authentication logs for anomalous access — unusual times, locations, or dormant accounts
- If you appear in the dataset, treat it as a confirmed breach and engage incident response
National CERTs and government cyber agencies can contact research@socradar.com for the full country-level dataset.
The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.
Here is the damage report:
🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.
🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.
🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.
⚠️ Status: STILL active as of this publication.
Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.
Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/
#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar
Most state-sponsored groups stick to the script: espionage, data theft, or disruption. But the Iranian APT known as "Fox Kitten" operates on two tracks.
They are actively collecting intelligence for the regime, while simultaneously brokering network access to ransomware affiliates for profit. Basically, it’s a government-backed group acting like a financially motivated Initial Access Broker (IAB).
Their favorite way in? Exploiting internet-facing VPN and firewall devices.
This dual mission makes them incredibly disruptive. If they breach your network, you aren't just dealing with a quiet intelligence-gathering operation—you are likely staring down the barrel of a major ransomware deployment from whoever bought your access.
If you want to mitigate the risk, keeping those perimeter devices patched and setting up timely alerts for weird access patterns is non-negotiable.
Has anyone seen them probing their external infrastructure lately?
Don't let the name fool you. "Pink" is the newest data extortion syndicate hunting US organizations—and their entire operation kicks off with a simple phone call. Our team just dropped a massive teardown of Pink’s playbook, infrastructure, and highly evasive phishing kits.
Here is the TL;DR on what you need to know before your phone rings:
📞 The Vishing Hook: They play "helpful IT support" to herd employees into bespoke, highly convincing phishing traps.
👻 Ghost Kits: Targeting Entra ID and Okta, their phishing pages stay completely invisible until an attacker manually approves the session. Sandboxes and researchers get nothing but a blank stare.
🔓 Auth Subversion: Push MFA? Passkeys? Pink has dedicated workflows designed to bypass them both. They inject live number-matching codes and socially engineer users into handing over recovery words.
🎯 The Hit List: 92% of their lure infrastructure is aimed at the US, heavily zeroing in on Healthcare, Tech, and Finance.
🔄 The Origin: Likely a Com-affiliated rebrand of BlackFile/Redact. Their Data Leak Site went live in May 2026 and is already stacking up victims.
Click here for full analysis. https://hubs.la/Q04lbtbh0
What happens when a Ransomware-as-a-Service (RaaS) operation runs like a highly disciplined tech startup? You get Tengu. 👺📈
In less than six months, Tengu claimed around 50 victims before quietly rebranding as "Shisa" Ransomware in March 2026. They didn't just scale fast; they scaled smart.
Here is the playbook making them so effective:
🔹 Cross-Platform Reach: Actively targeting Windows, Linux, and ESXi environments.
🔹 Speed & Stealth: Utilizing fast intermittent encryption and LOLBins to stay under the radar.
🔹 Maximum Leverage: A ruthless double-extortion model fueled by credential abuse and rapid cloud exfiltration.
Tengu (now Shisa) is a stark reminder that structured affiliate models paired with low-noise tradecraft remain one of the most serious threats to enterprise networks. To strengthen your posture against evolving RaaS groups, relying on continuous visibility and timely alerts is absolutely critical.
Dive into our full Tengu Dark Web Profile to understand their tactics and track the rebrand.
There's a new supply chain threat out there. The Shai-Hulud group is back with a "Hades" wave hitting PyPI.
They've trojanized 19 packages across 37 malicious wheels. But the most interesting (and frustrating) part is the execution method: they are using Python startup hooks. This means the malicious code executes just by being installed in the environment—a developer doesn't even have to actually import the package into their code for the payload to trigger.
Once it runs, it goes straight for the good stuff: tokens, cloud creds, SSH keys, and CI secrets.
It’s a stark reminder of how a routine dependency install can easily turn into a massive downstream compromise. One infected dev machine can expose the whole pipeline.
How are you all auditing your Python environments to mitigate this kind of risk? Has anyone caught one of these Hades wheels in their CI/CD yet?
There's a new supply chain threat out there. The Shai-Hulud group is back with a "Hades" wave hitting PyPI.
They've trojanized 19 packages across 37 malicious wheels. But the most interesting (and frustrating) part is the execution method: they are using Python startup hooks. This means the malicious code executes just by being installed in the environment—a developer doesn't even have to actually import the package into their code for the payload to trigger.
Once it runs, it goes straight for the good stuff: tokens, cloud creds, SSH keys, and CI secrets.
It’s a stark reminder of how a routine dependency install can easily turn into a massive downstream compromise. One infected dev machine can expose the whole pipeline.
How are you all auditing your Python environments to mitigate this kind of risk? Has anyone caught one of these Hades wheels in their CI/CD yet?
Today, the pro-Iranian threat group Handala claimed "widespread and targeted signal disruption" of Israeli radar systems, timing the announcement with escalating missile exchanges in the region.
Here is what we know right now:
🔹The Claims:Alongside the radar claims, Handala shared screenshots of what appears to be a Tadiran Telecom Aeonix VoIP admin panel, allegedly belonging to the Kfar Yona municipality.
🔹 The Actor: The US DOJ officially ties Handala to Iran’s Ministry of Intelligence (MOIS).
🔹 The Track Record:They are capable of real damage (executing the March 2026 Stryker wiper attack), but they’ve also made highly disputed claims in the past.
As of now, the radar disruption remains unverified with no official response. In the fog of war, relying on verified threat intel and timely alerts is essential to understand the true battlefield and mitigate risk.
Read our full analysis as this developing situation unfolds on our blog.
#ThreatIntelligence #CyberWarfare #Handala #CyberSecurity #Geopolitics
When protocol efficiency becomes your biggest liability. 🚨
The newly detailed "HTTP/2 Bomb" is a masterclass in why default configurations are rarely secure. It effectively turns the speed and design of HTTP/2 into a potent DoS risk.
Here is why this should be on your radar today:
💥 It chains header amplification with a Slowloris-style connection hold.
📉 Attackers can exhaust your server memory using incredibly low bandwidth.
🔓 It impacts several major HTTP/2 stacks in their default setups.
⚠️ Proof-of-Concepts (PoCs) are already out in the wild.
To mitigate this threat and strengthen your posture, defenders need to ask one critical question: Where exactly does HTTP/2 terminate in your architecture, and what limits are actually being enforced at that edge?
Don't wait for your servers to tap out to find the answer. Check our Blog for more details.
When protocol efficiency becomes your biggest liability. 🚨
The newly detailed "HTTP/2 Bomb" is a masterclass in why default configurations are rarely secure. It effectively turns the speed and design of HTTP/2 into a potent DoS risk.
Here is why this should be on your radar today:
💥 It chains header amplification with a Slowloris-style connection hold.
📉 Attackers can exhaust your server memory using incredibly low bandwidth.
🔓 It impacts several major HTTP/2 stacks in their default setups.
⚠️ Proof-of-Concepts (PoCs) are already out in the wild.
To mitigate this threat and strengthen your posture, defenders need to ask one critical question: Where exactly does HTTP/2 terminate in your architecture, and what limits are actually being enforced at that edge?
Don't wait for your servers to tap out to find the answer. Check our Blog for more details.
Everyone is rushing to adopt AI, but the real question is: is your security posture actually ready for the fallout?
The AI Security Roadshow by SOCRadar® Extended Threat Intelligence is officially touching down in Istanbul! 🇹🇷
Join us for a heavy-hitting day of expert intel, deep dives into the AI threat landscape, and networking with the sharpest minds in cyber.
Don't let your latest tech upgrade become a threat actor's playground.
Let's strengthen your defense posture and stay ahead of the curve. 🚀
🗓️ Date: June 18, 2026
📍 Venue: Fairmont Quasar Istanbul
Let’s be real: keeping your skills sharp shouldn't cost an arm and a leg. Enter https://university.socradar.io/ —our learning hub built to help SOC analysts, cyber pros, and students level up their defensive game without draining their wallets.
Whether you're trying to break into the industry or you're a seasoned defender looking to rack up some CPE credits, we’ve got you covered.
What’s the deal?
This isn't just dry theory. We’re serving up actionable insights, dark web deep dives, and practical Cyber Threat Intelligence (CTI) workflows. We focus heavily on the global threat landscape and what threat actors are doing right now.
Why you should care:
💸 100% Free: No hidden paywalls. Keep your credit card in your wallet.
📜 Earn CPE Credits:Rack up 1 to 3 CPEs per course (perfect for ISACA, ISC2, etc.) to keep your CISSP, CISM, Sec+, or other certs active.
🌍 Real-World Tactics: We skip the fluff and focus on the current reality—from initial access brokers to Stealer-as-a-Service.
A few heavy-hitters to get you started:
🕵️ Fundamentals of the Dark Web (1 CPE): Unmask the underground economy, track Telegram stealer channels, and learn how the bad guys actually operate.
🤖 AI Fluency & GenAI Tools for Cyber Pros (3 CPEs): Move past basic prompts. Learn structured human-AI collaboration for threat reports, detection engineering, malware triage, and OSINT.
We’re constantly dropping new 2024/2025 content covering the latest vulnerabilities, stealer logs, and threat hunting techniques to help you strengthen your posture.
Stay sharp out there!
Zero-days don't take days off, and neither should your patching schedule. 🚨
Google just dropped its June 2026 Android update, and it’s a heavy hitter. They’re addressing CVE-2025-48595—a Framework zero-day that’s already seeing targeted exploitation in the wild.
The rundown:
🔹 Local privilege escalation
🔹 Impacts Android 14, 15, 16, and 16-QPR2
🔹 Officially added to the CISA KEV list
🔹 124 total vulnerabilities addressed in this rollout
If you're managing an Android fleet, bumping this to the top of your to-do list helps mitigate serious risk and strengthens your mobile posture. Time to get patching! 📱🔧
Zero-days don't take days off, and neither should your patching schedule. 🚨
Google just dropped its June 2026 Android update, and it’s a heavy hitter. They’re addressing CVE-2025-48595—a Framework zero-day that’s already seeing targeted exploitation in the wild.
The rundown:
🔹 Local privilege escalation
🔹 Impacts Android 14, 15, 16, and 16-QPR2
🔹 Officially added to the CISA KEV list
🔹 124 total vulnerabilities addressed in this rollout
If you're managing an Android fleet, bumping this to the top of your to-do list helps mitigate serious risk and strengthens your mobile posture. Time to get patching! 📱🔧
Let’s be real: keeping your skills sharp shouldn't cost an arm and a leg. Enter https://university.socradar.io/ —our learning hub built to help SOC analysts, cyber pros, and students level up their defensive game without draining their wallets.
Whether you're trying to break into the industry or you're a seasoned defender looking to rack up some CPE credits, we’ve got you covered.
What’s the deal?
This isn't just dry theory. We’re serving up actionable insights, dark web deep dives, and practical Cyber Threat Intelligence (CTI) workflows. We focus heavily on the global threat landscape and what threat actors are doing right now.
Why you should care:
💸 100% Free: No hidden paywalls. Keep your credit card in your wallet.
📜 Earn CPE Credits:Rack up 1 to 3 CPEs per course (perfect for ISACA, ISC2, etc.) to keep your CISSP, CISM, Sec+, or other certs active.
🌍 Real-World Tactics: We skip the fluff and focus on the current reality—from initial access brokers to Stealer-as-a-Service.
A few heavy-hitters to get you started:
🕵️ Fundamentals of the Dark Web (1 CPE): Unmask the underground economy, track Telegram stealer channels, and learn how the bad guys actually operate.
🤖 AI Fluency & GenAI Tools for Cyber Pros (3 CPEs): Move past basic prompts. Learn structured human-AI collaboration for threat reports, detection engineering, malware triage, and OSINT.
We’re constantly dropping new content covering the latest vulnerabilities, stealer logs, and threat hunting techniques to help you strengthen your posture.
Check it out and enroll for free here:https://university.socradar.io/
Stay sharp out there!