July 18, 2026

FortiBleed: The FortiGate Credential-Harvesting Campaign — Full Intelligence Report

Protos Labs Threat Intelligence

#FortiBleed #Fortinet #FortiGate #CredentialTheft #Ransomware #INCRansom #Lynx #ThreatIntelligence #CyberSecurity

FortiBleed Investigation — Cyber Threat Intelligence Report

TLP:CLEAR Analyst: Protos AI Threat Intelligence Date: 2026-07-16 Reporting Period: 2026-02-01 → 2026-07-16

Executive Summary

Overall Severity
Critical
Internet-facing FortiGate credential exposure created a high-probability path to downstream intrusion and ransomware abuse.
Confidence
High
Campaign existence and scale are well supported; identity equivalence and attribution pivots are narrower.
Reporting Period
2026-02-01 → 2026-07-16
Window requested for the FortiBleed investigation.
Recommended Action
Invalidate FortiGate credentials and hunt for post-VPN reuse
Immediate priority for exposed and internet-facing environments.

FortiBleed should be treated as a Critical credential-exposure and access-brokering event affecting internet-facing FortiGate systems. The strongest evidence supports the campaign’s existence, scale, and custom tooling, while geopolitical attribution remains narrower and the operator-handle pivot at @Clarksome is best treated as a Low Confidence attribution support point rather than proof of actor identity.

The ransomware linkage evidence is also strong, but its meaning needs careful framing. SOCRadar-style reporting supports a High Confidence claim that FortiBleed-derived access was linked to ransomware operations involving INC Ransom and Lynx; the disputed point is whether the FortiBleed operator was a separate initial-access broker selling access or was directly operated by, or overlapping with, those ransomware crews.

Defensive priority remains straightforward: reset FortiGate VPN and administrative passwords, verify PBKDF2 migration after upgrades, review firewall/VPN/authentication/domain-controller logs, and hunt for downstream reuse into AD, SMB, and related internal services. Because direct retrieval of some primary-source material was blocked, the report distinguishes between well-supported operational conclusions and lower-confidence attribution pivots rather than overstating certainty.

Key Findings

1. FortiBleed was a real, large-scale FortiGate credential-theft and access-brokering operation. HIGH CONFIDENCE

The available evidence consistently shows a campaign that began with leaked credentials and active exploitation claims, then expanded into credential spraying, harvesting, and post-compromise access processing. The scale increased across reporting waves, ranging from roughly 74,000 exposed devices to much larger campaign-level targeting estimates.

2. The campaign used custom tooling and structured operator infrastructure. HIGH CONFIDENCE

Recovered and summarized reporting names multiple tools and workflow components, including forticheck, FortigateSniffer, CyberStrike Harvester, Hashtopolis, and HashPanel. This profile is consistent with an organized access factory rather than opportunistic phishing alone.

3. FortiBleed-derived access was credibly linked to ransomware operations, especially INC Ransom and Lynx. HIGH CONFIDENCE

The strongest linkage evidence supports a downstream-use model: FortiBleed-derived operator activity was observed in connection with INC Ransom and Lynx negotiation environments, but the evidence does not prove a single merged organization. The best-supported interpretation is a commercial access-broker relationship with shared operator overlap.

4. Russian or Russian-speaking attribution is plausible, but not fully proven in the accessible evidence. MEDIUM CONFIDENCE

The preserved timeline notes attribution coverage pointing toward a Russian initial access broker, but the underlying primary source text was not fully accessible. The analytical position is therefore cautious: attribution remains plausible, yet the stronger and more defensible conclusion is operational linkage to ransomware ecosystems rather than definitive geopolitical identity.

5. Immediate remediation should assume exposed FortiGate credentials are operationally usable by attackers. HIGH CONFIDENCE

Defensive guidance in the preserved material is consistent: rotate VPN and administrative passwords, enforce MFA, review firewall/VPN/authentication/domain-controller logs, and verify PBKDF2 migration after upgrade. In practice, this means exposed devices should be treated as compromised until validated otherwise.

Risk Assessment

Risk AreaSeverityAssessmentRationale
Exposure of FortiGate VPN/admin credentials Critical Immediate compromise risk Leaked credentials and password-spraying activity make unauthorized access highly plausible on internet-facing devices.
Downstream internal pivoting High Likely AD/SMB reuse Preserved guidance specifically calls for reviewing domain controller and SMB-relevant logs because exposed FortiGate credentials can be reused internally after VPN access.
Ransomware monetization High Credible downstream abuse Linkage reporting places FortiBleed-derived access in INC Ransom and Lynx panels, supporting a monetization path through ransomware ecosystems.
Geopolitical attribution certainty Medium Likely but incomplete Russian-linked attribution is plausible, but primary-source access was limited and the best-supported conclusion is operational relationship, not final actor identity.

IOC Table

Defanged indicators below are preserved for hunting and correlation. Where evidence is only summary-level, the observables are labeled as such and not overstated. The current evidence base includes Arctic Wolf-derived hashes, infrastructure pivots, and tooling references; it does not preserve an extractable YARA rule or YARA-derived detection artifact.

TypeValueContextConfidenceEvidence
SHA-2562758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98CyberStrike Harvester / harvest_origHighRecovered binary hash
SHA-256479ae5fd7274439ddfa27bc03298ebfdfc5ff17f6412acccf74d4dbd90d94218Telegram hashcat bot bot.pyHighRecovered bot artifact
SHA-256874bcb1c3d050a5b5b333a2198f504fcb27927c2abdd43b07440188a380c52d5ad_full_audit.pyHighAdditional Arctic Wolf-derived hash listed in the preserved IOC notes
SHA-25638353f95fff270f4e3a9d7add8c64666020dd668ce66e15969a736ec48cadc59ad_enum.pyHighAdditional Arctic Wolf-derived hash listed in the preserved IOC notes
SHA-2564253dd1a4c0867b0be7732f75b2f630cebfb7fed94270e15fb3b12ae40546d01backup_dfs.pyHighAdditional Arctic Wolf-derived hash listed in the preserved IOC notes
SHA-2569eaa577c8ba71646928c1c34c3145536b0498f65f26060a6ba00744bcef57644backup_dfs2.pyHighAdditional Arctic Wolf-derived hash listed in the preserved IOC notes
IPv4193[.]8[.]187[.]42SSH staging / exfiltration hostMediumInfrastructure pivot
IPv4:port85[.]11[.]187[.]8:8443Hashtopolis / API endpointMediumInfrastructure pivot
Handle@ClarksomeTelegram admin referenceLowPreserved account handle, but linkage significance is limited to source treatment and should not be read as proof of actor identity
Account / credential pairadminin:ITAdmin@888Planted credential pair observed in the recovered campaign materialLowHandle as a planted or test credential observable rather than a validated live account pair; the accessible evidence frames credential pairs at summary level and does not prove active use
Account-based observabledisguised / operator-admin accountsAccounts referenced in public coverage but not individually enumeratedLowOnly summary-level evidence exists in the accessible material; the report does not preserve the underlying account names, so this remains a hunt hint rather than a discrete IOC
ToolforticheckFortiGate admin / SSL-VPN checkerHighSpraying / validation tool
ToolFortigateSnifferCredential-harvesting snifferHighPost-compromise sniffer
ToolCyberStrike HarvesterCredential-processing componentHighCredential workflow
ToolHashtopolisDistributed cracking infraHighCracking management
ToolHashPanelHash-cracking control panelHighOperator panel

MITRE ATT&CK Mapping

The mapping below is limited to behaviors supported by the preserved evidence base. Where the evidence is summary-level or inferred, the confidence is lowered accordingly. Additional supported mappings preserved in the timeline include Active Scanning, Domain Account Discovery, Valid Accounts, and Brute Force support activity, but only where the source text explicitly supports them.

Observed FortiBleed behaviorATT&CK tactic / techniqueConfidenceEvidence basis
Mass scanning of FortiGate /remote/login endpoints Reconnaissance / Active Scanning (T1595) High The preserved timeline explicitly reports 320,777 FortiGate endpoints mass-scanned.
Mass login attempts against FortiGate VPN portals using large credential sets Credential Access / Password Spraying (T1110.003) and Valid Accounts (T1078) High The preserved timeline explicitly describes 1.16 billion login combinations and 3,639 credential pairs used against FortiGate logins.
Passive capture of authentication traffic from FortiGate devices Credential Access / Network Sniffing (T1040) High FortigateSniffer is described as passively intercepting authentication traffic and extracting credentials from multiple protocols.
Reuse of captured VPN session cookies to hijack access Initial Access / Credential Access / Web Session Cookie (T1539) High The preserved timeline states that captured session cookies were replayed through OpenConnect to hijack live VPN sessions.
Domain controller and internal directory access after VPN compromise Discovery / Domain Account Discovery (T1087) Medium The preserved timeline notes Active Directory access, AD dumps, file-share exfiltration, Kerberos ticket collection, and GPO template access; this is enough to support discovery-oriented mapping, but the evidence remains summary-level.
Post-compromise credential processing and cracking workflow Credential Access / Brute Force support activity Medium Custom tooling and cracking infrastructure including CyberStrike Harvester, Hashtopolis, and HashPanel support offline credential recovery, but the exact operational steps are only partly preserved in summary form.
Downstream ransomware deployment after access acquisition Impact / Data Encrypted for Impact (T1486) High The preserved timeline links FortiBleed-derived access to ransomware deployment, but does not prove that every ransomware event was executed by a single unified FortiBleed actor.

Prioritized Recommendations

PriorityActionWhat to doWhy it matters
1 Credential reset Reset all FortiGate VPN and administrative passwords on internet-facing devices; rotate any potentially reused downstream credentials. Exposed credentials should be assumed operationally usable until invalidated.
2 Log hunt and containment Review firewall, VPN, authentication, domain-controller, and SMB logs for failed logins followed by success, new admin activity, unusual source geographies, and post-VPN lateral movement. The campaign is explicitly associated with credential reuse and internal pivoting risk.
3 Patch and validate Upgrade to fixed FortiOS releases (7.2.11, 7.4.8, 7.6.1 or later) and require a post-upgrade administrator login to force password-hash migration. Patching alone may not remove legacy SHA-256 password exposure until migration completes.
4 Harden remote management Restrict administrative access to trusted networks, require MFA, and remove unnecessary internet exposure for management interfaces. This reduces the attack surface used in the initial credential-spraying phase and limits repeated compromise attempts.
5 Monitor for ransomware handoff Search for negotiation-panel, exfiltration, and ransomware deployment indicators tied to the same source networks, credentials, or operator handle. FortiBleed-derived access has been linked to INC Ransom and Lynx activity, so early detection should include downstream monetization channels.

Limits, Gaps, and Confidence Boundaries

The main limitation in this investigation is partial access to primary-source material. The CSA advisory URL could not be directly retrieved, and the SOCRadar-derived primary report was not fully available; as a result, some conclusions are based on preserved summaries and corroborating news coverage rather than the original investigative packet.

This primarily affects attribution precision and exact source wording, not the existence of the campaign or the need for remediation. The evidence is strongest for the operational reality of FortiBleed, the use of custom tooling, and the downstream ransomware linkage; it is weaker for definitive geopolitical attribution and for any claim that the implicated ransomware brands and FortiBleed are the same organization.

Sources

  1. CISA advisory summary — https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure
  2. Security Affairs — https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html
  3. Orca Security Blog — https://orca.security/resources/blog/fortibleed-credential-theft-vulnerability/
  4. Security Affairs — https://securityaffairs.com/194645/security/430000-fortigate-devices-exposed-in-fortibleed-ransomware-link.html
  5. SecurityWeek — https://www.securityweek.com/russian-initial-access-broker-behind-fortibleed-campaign/
  6. SecurityWeek — https://www.securityweek.com/fortibleed-campaign-linked-to-inc-lynx-ransomware-attacks/
  7. SecurityWeek — https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/
  8. SecurityWeek — https://www.securityweek.com/fortinet-responds-to-fortibleed-campaign/
  9. CSO Online — https://www.csoonline.com/article/4186790/fortibleed-campaign-exposes-75000-fortinet-firewalls-worldwide.html
  10. Infosecurity Magazine — https://www.infosecurity-magazine.com/news/ncsc-fortinet-customers-tackle/
  11. Arctic Wolf Blog — https://arcticwolf.com/resources/blog/inside-fortibleed-reverse-engineering-the-cyberstrike-harvester-behind-a-global-fortigate-credential-factory/
EXPERIENCE PROTOS AI

Run your own deep-dive analysis with Protos AI.

Protos AI automates CTI investigations using agentic AI — from OSINT collection to structured analysis. Speak to our team to see it in action.

Download Full Report

FortiBleed: The FortiGate Credential-Harvesting Campaign — Full Intelligence Report


Inquire Now
Inquire Now
Oops! Something went wrong while submitting the form.