FortiBleed Links Fortinet to INC, Lynx Ransom Ops
The FortiBleed credential theft campaign is now directly linked to the INC Ransom and Lynx ransomware-as-a-service operations, as SOCRadar's Threat Research Unit (STRU) observed. This development shows that mass harvesting of Fortinet FortiGate firewall credentials has moved from isolated data leaks into active ransomware deployment. Initial reports identified 73,932 unique Fortinet firewall URLs across 194 countries and 21,632 affected domains. The campaign attempted 1.16 billion credential authentications against more than 320,000 FortiGate targets.
STRU's investigation found the campaign targeted over 430,000 FortiGate firewalls globally using a custom credential sniffing tool. Researchers later uncovered more than 200 additional operational servers and identified an operator associated with FortiBleed infrastructure engaging with victim negotiation panels for both INC Ransom and Lynx. This connection is the first confirmed instance of widespread FortiGate credential theft directly leading to ransomware deployments.
Further findings include persistent backdoor accounts using the username "adminin" on compromised devices. 500 servers were seized, including one central to Lynx and INC Ransom negotiations. Investigators are also tracing the exploitation of a previously undisclosed Nextcloud zero-day vulnerability by the same threat actors to achieve extended network access, adding to the threat's complexity.
How FortiBleed Actors Exploit Fortinet Devices and the Scope of the Operation
FortiBleed actors, tied to the INC Ransom and Lynx ransomware groups, exploit Fortinet FortiGate firewalls using a custom credential sniffing tool. This leads to VPN access theft and ransomware deployment. The campaign initially focused on collecting credentials from over 430,000 FortiGate devices worldwide. Hudson Rock's early observations noted 73,932 unique Fortinet firewall URLs across 194 countries, impacting 21,632 distinct domains.
SOCRadar's Threat Research Unit (STRU) confirmed 1.16 billion credential attempts were made against more than 320,000 FortiGate targets. Many successful logins resulted from previously leaked credentials or infections by information-stealing malware, not simple brute-force attacks. STRU's analysis uncovered over 200 operational servers beyond the initial clusters reported, indicating a more expansive operation.
Access to one of these servers provided researchers with internal files, logs, and operational documents. These materials contained direct evidence of an operator managing victim negotiation panels for both INC Ransom and Lynx groups. FortiBleed victim data matching those tracked by INC Ransom shows direct use of stolen firewall access for ransomware and extortion. PurpleOps has reported on the surge of Lynx ransomware.
Persistent backdoor accounts with the username "adminin" were found on compromised devices, showing an intent for long-term access. Approximately 19,000 Fortinet devices were initially subject to traffic sniffing; this number decreased to about 11,000 after SOCRadar sent notifications. The investigation also resulted in the seizure of 500 servers, including one instrumental in Lynx and INC Ransom negotiations, disrupting parts of the attack infrastructure.
Beyond FortiGate, the actors exploit a previously undisclosed Nextcloud zero-day vulnerability to extend access. Technical specifics and affected versions are not public as SOCRadar coordinates with the vendor. Additionally, Citrix-related target lists detailing approximately 29,000 IP addresses and 37 domains were discovered, suggesting a broader targeting scope. Further information on credential theft mechanisms is available in our analyses of FortiBleed FortiGate credential stealer and Fortinet VPN credential leak.
What the Armored Likho APT Group Uses to Target Government and Energy Sectors
The Armored Likho APT group, also known as Eagle Werewolf, deploys the BusySnake Stealer in targeted campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. This group combines financially motivated attacks on private individuals with cyber-espionage against organizations. Armored Likho's toolkit includes obfuscated, modular Remote Access Trojans (RATs) and information stealers designed to bypass dynamic analysis, along with simpler tools such as Go2Tunnel for remote access.
The initial infection vector typically uses spear-phishing emails with malicious attachments in archive files, often disguised as official government notices or social program applications. These archives contain executable (EXE) or LNK files, with names like psihologicheskiy_test.exe or zayavka_gumanitarnayapomosch.rar. In some campaigns, the group used the ZDI-CAN-25373 shortcut vulnerability to obscure execution parameters within LNK files, making detection harder.
Once executed, these initial payloads download and deploy the BusySnake Stealer. This previously undocumented, Python-based infostealer is designed for Windows systems and features strong evasion techniques. Its source code is obfuscated and encrypted using PyArmor Pro version 9.2.0. Bytecode is dynamically decrypted only when a function is called and re-encrypted immediately after. The stealer operates silently in the background, indicated by its PYW file extension.
The stealer's architecture uses distinct handlers for various functions:
single_instance_lock: Prevents multiple instances from running.start_key_clipboard_logger: Harvests data from the system clipboard.start_inventory_background: Enumerates files, logging metadata and searching for 64-character hexadecimal keys.start_send_documents_priority_background: Exfiltrates user documents up to 5 MB in size.take_screenshot/archive_pngs: Captures and archives screenshots.poll_task: Waits for incoming commands from the C2 server.ensure_schtask: Maintains persistence via scheduled tasks.
Command and Control (C2) commands allow BusySnake Stealer to perform extensive data exfiltration. This includes decrypting stored passwords from Chromium-based and Firefox browsers, extracting cookies by either database query or installing a browser extension, and harvesting Telegram session and credential data from the tdata directory. The stealer can also scrape for two-factor authentication (2FA) secrets, find cryptocurrency wallet JSON files, and establish reverse SSH tunnels. This replaces the group's older Go2Tunnel utility with integrated functionality. A newer version of BusySnake Stealer uses the win32com.client library for stealthier scheduled task creation and executes Python scripts directly in memory without writing them to disk. Researchers also noted code characteristics in the initial payloads, such as verbose comments and bullet-point emojis, suggesting the use of Large Language Models (LLMs) for generating malicious code. This trend blurs traditional attribution signals.
Google Dismantles the NetNut Residential Proxy Network
Google's Threat Intelligence Group (GTIG), collaborating with the FBI and Lumen, has significantly degraded NetNut. This prominent residential proxy network, also tracked as Popa, has seen its pool of usable home devices substantially reduced. This network, estimated to comprise at least 2 million devices worldwide, including smart TVs and streaming boxes, routes traffic through unsuspecting users' internet connections, allowing malicious actors to mask their true origins.
A residential proxy network enables cybercriminal and espionage activities by selling access to real home IP addresses. Attackers pay to route their traffic through these connections, making it appear as legitimate home browsing and bypassing security tools designed to block datacenter traffic. NetNut builds its network by distributing code through pre-installed software on cheap, off-brand hardware and via free applications that secretly embed the proxy functionality. Once activated, a device becomes an "exit node," allowing third-party traffic to flow through the homeowner's internet connection.
GTIG identified 316 distinct threat clusters using suspected NetNut exit nodes in a single week in June. These included both cybercriminal and espionage groups using the network to hide their location and conduct operations such as password-guessing attacks. Exit nodes within home networks can also give attackers a foothold to access other connected devices. Some have been integrated into larger botnets like Mirai and Badbox 2.0.
NetNut is owned by Alarum Technologies (NASDAQ: ALAR), a publicly traded Israeli company. Research by Qurium, Synthient, Nokia Deepfield, and Spur provided evidence linking Popa to NetNut. This showed that traffic sent through NetNut's commercial gateway exited via devices enrolled in Popa. While Alarum disputes the "botnet" label, claiming consented bandwidth-sharing without device compromise, independent testing by Synthient found no explicit user consent prompts in over 20 examined applications.
Disrupting NetNut is complex due to its extensive reseller program, which allows numerous seemingly independent proxy brands to operate using the same underlying network. Google describes this action as "degradation" rather than a complete "kill" because such networks can be resilient; operators often shift to buy capacity from rival providers. Google's previous efforts against similar networks, such as the China-based IPIDEA in January and legal action against Badbox 2.0 operators in July 2025, show the persistent nature of these threats.
Was a PEGA Committee Member Targeted by Pegasus Spyware?
Yes, Citizen Lab, a research group at the University of Toronto, reported that the phone of Stelios Kouloglou, a Greek journalist and former Member of the European Parliament (MEP) and substitute member of the European Parliament's PEGA Committee, was infected twice with NSO Group's Pegasus spyware. The infections occurred around October 2022 and March 2023. This is the first public confirmation of a PEGA Committee member being targeted by the spyware the committee was established to investigate.
The PEGA Committee formed in 2022 to investigate widespread spyware abuses across the European Union, specifically following revelations about the government deployment of NSO Group's Pegasus technology. Kouloglou's phone was infected during key phases of the committee's work: the first instance coincided with preparations for prominent hearings and the initial draft of its report, while the second occurred as the panel engaged in discussions related to the final drafting process.
Kouloglou had previously tested his phone's security before joining the committee. He initially believed his membership would deter such attempts due to the potential for significant scandal, especially given Greece's ongoing scrutiny over the use of Predator spyware. Citizen Lab did not identify the specific entity responsible for deploying Pegasus against Kouloglou's device.
Ron Deibert, founder and director of Citizen Lab, emphasized the irony and implications for democratic processes, stating that "Someone, somewhere likely wanted to breach parliamentary privilege and find out what was going on in that committee." Another PEGA Committee member, Hannah Neumann, expressed frustration, noting that while such hacks were anticipated, their confirmation shows a lack of respect for European democracy and parliamentarism. The incident shows the continued prevalence of mercenary spyware abuses and the persistent failure to implement the PEGA Committee's recommendations to prevent such targeting. Kouloglou has publicly announced his intention to pursue legal action against NSO Group.
Technical Takeaways
- The FortiBleed campaign uses a custom credential sniffing tool targeting Fortinet FortiGate firewalls, directly correlating stolen access with INC Ransom and Lynx ransomware deployment.
- Persistent backdoor accounts, specifically the "adminin" username, show a strategy for maintaining long-term access on compromised Fortinet devices.
- Armored Likho APT uses PyArmor Pro version 9.2.0 for obfuscation and dynamically decrypts bytecode for its BusySnake Stealer, demonstrating advanced evasion techniques.
- The BusySnake Stealer has multiple data exfiltration capabilities, including full browser credential and cookie theft, Telegram session harvesting, and integrated reverse SSH tunneling, improving on previous standalone tools.
- Google's GTIG uses multi-agency disruption tactics against residential proxy networks like NetNut, recognizing their distributed nature and reseller programs as key factors in their resilience.