SOCRadar links FortiBleed campaign targeting manufacturers to Lynx and INC ransomware attacks
Key Facts
- The hacker likely already found and exploited a zero-day vulnerability in Nextcloud, an open-source content collaboration platform.
- They also built ‘PENTEST LAB,’ a Docker-based multi-agent AI framework based on CyberStrike, leveraging Large Language Model (LLMs) via OpenRouter API to autonomously research zero-day vulnerabilities on multiple open-source software such as Nextcloud, Keycloak and Guacamole.
- The researchers also said they are investigating a suspected zero-day vulnerability affecting Nextcloud that may have been used during post-compromise activity.
- 3 out of 5 victims being present in the INC Ransom open directory could be correlated with FortiBleed: a Chinese manufacturer, a Japanese food wholesaler and a Taiwanese manufacturer.” The researchers noted that the hackers have different priorities depending on the country, with emerging markets serving as potential training grounds or testing grounds for their activities, which also provide a source of revenue and rapid intelligence, as oppo
- TOXMAN was found to utilize AI for various steps of the attack chain, such as tool development, operations and vulnerability research.
- Researchers said they identified an operator who had simultaneous access to FortiBleed infrastructure and ransomware negotiation panels of both groups, indicating that the credential theft campaign served as an initial access operation feeding downstream extortion attacks.
- “The starting point of the investigation involved a deeper examination of the FortiBleed infrastructure to uncover additional insights about the campaign,” SOCRadar researchers detailed in a Tuesday report.
- By leveraging critical operational security (OPSEC) failures in the group’s infrastructure management, it was possible to gain access to the threat actor’s artifacts.
- SOCRadar documented 409 organizations where attackers obtained administrator-level access, with 354 organizations fully compromised and at least 12 confirmed ransomware incidents resulting in encryption of hundreds of endpoints.
- “Given the scale and active nature of this operation, expansion of infrastructure continued through a combination of tools like Shodan, Censys, Validin, as well as our own IP block scans to identify additional operational servers, including sniffers and scanners.
The hacker likely already found and exploited a zero-day vulnerability in Nextcloud, an open-source content collaboration platform. They also built ‘PENTEST LAB,’ a Docker-based multi-agent AI framework based on CyberStrike, leveraging Large Language Model (LLMs) via OpenRouter API to autonomously research zero-day vulnerabilities on multiple open-source software such as Nextcloud, Keycloak and Guacamole.
The Threat Activity
The researchers also said they are investigating a suspected zero-day vulnerability affecting Nextcloud that may have been used during post-compromise activity.
Further details indicate that 3 out of 5 victims being present in the INC Ransom open directory could be correlated with FortiBleed: a Chinese manufacturer, a Japanese food wholesaler and a Taiwanese manufacturer.” The researchers noted that the hackers have different priorities depending on the country, with emerging markets serving as potential training grounds or testing grounds for their activities, which also provide a source of revenue and rapid intelligence, as oppo
TOXMAN was found to utilize AI for various steps of the attack chain, such as tool development, operations and vulnerability research.
Researchers said they identified an operator who had simultaneous access to FortiBleed infrastructure and ransomware negotiation panels of both groups, indicating that the credential theft campaign served as an initial access operation feeding downstream extortion attacks.
Scope & Targeting
SOCRadar documented 409 organizations where attackers obtained administrator-level access, with 354 organizations fully compromised and at least 12 confirmed ransomware incidents resulting in encryption of hundreds of endpoints. Similarly, the evidence provided insight into the attackers’ victimology, revealing increased targeting of organizations across Latin America and the Asia-Pacific region. The campaign primarily focused on manufacturing and technology organizations, reflecting a high-volume strategy aimed at small and mid-sized enterprises.
By leveraging critical operational security (OPSEC) failures in the group’s infrastructure management, it was possible to gain access to the threat actor’s artifacts.
SOCRadar documented 409 organizations where attackers obtained administrator-level access, with 354 organizations fully compromised and at least 12 confirmed ransomware incidents resulting in encryption of hundreds of endpoints.
Analysis
The incident highlights the continued pressure ransomware operators are placing on organizations worldwide.
Threat intelligence teams should add the described indicators of compromise to their detection rules, hunting playbooks, and SIEM correlation logic. Network defenders should monitor for the described tactics, techniques, and procedures across their environment, focusing on the MITRE ATT&CK techniques referenced in available reporting. Information sharing with industry partners, ISACs, and government agencies can accelerate collective response. Intelligence analysts should assess whether this activity overlaps with previously tracked threat actors or represents a new campaign. Strategic intelligence briefings should be prepared for leadership to communicate business risk and justify security investments.
Industry observers note that this type of development highlights the ongoing need for defense-in-depth strategies and proactive security posture management. Organizations that invest in regular security assessments and employee training tend to fare better when responding to emerging threats. The security community continues to share indicators and best practices to help defenders stay ahead.
Sources
Sources & References
- Source referenced in coverage https://industrialcyber.co/ransomware/socradar-links-fortibleed-campaign-targeting-manufacturers-to-lynx-and-inc-ransomware-attacks/
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Pakistan-Linked APT36 Exploits 'Pahalgam' Terror Attack Theme in Cyber-Espionage Campaign Against India
The Pakistan-linked APT group APT36 (Transparent Tribe) is using a 'Pahalgam terror attack' lure in a multi-pronged cyber-espionage campaign targeting India.
Threat Intelligence"Prestige" Ransomware Hits Poland and Ukraine
The Microsoft Threat Intelligence Center (MSTIC) has found evidence of a novel ransomware campaign using a hitherto unidentified ransomware payload that targets businesses in the logistics and tran...
Threat IntelligenceBIAS: Bluetooth Impersonation AttackS
[Daniele Antonioli](<https://francozappa.github.io/about-bias/authors/francozappa/) (Postdoc at the EPFL Cyber-Physical Systems Security, Network Security, Wireless Security, Embedded Systems Securit
Threat IntelligenceChinese-linked hackers targeted US, Canadian research facilities for a year: Google Threat Alert
Between September 2023 and November 2025, the hackers sought information related to defense intelligence, military strategy in the Indo-Pacific, artificial...