{"id":1926,"date":"2026-07-02T16:40:31","date_gmt":"2026-07-02T16:40:31","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=1926"},"modified":"2026-07-02T16:40:31","modified_gmt":"2026-07-02T16:40:31","slug":"fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/","title":{"rendered":"FortiBleed campaign traced to INC and Lynx ransomware operations"},"content":{"rendered":"<p>A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx,\u00a0<a href=\"https:\/\/socradar.io\/blog\/fortibleed-inc-lynx-ransomware-link\/\">according to a blog post<\/a>\u00a0Wednesday by cybersecurity firm SOCRadar.<\/p>\n<p>An operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said.<\/p>\n<p>In certain cases, the attacks may have involved exploitation of a vulnerability in a content collaboration platform called Nextcloud. The analysis is still ongoing, so a public advisory or common vulnerabilities and exposures number has not yet been assigned.<\/p>\n<p>\u201cThe Nextcloud issue appears to have been used as part of the attackers\u2019 broader operational workflow, likely for expansion or infrastructure access after initial compromise,\u201d Ensar Seker, CISO at SOCRadar, told Cybersecurity Dive.<\/p>\n<p>Not all cases involved Nextcloud, nor was compromise fully dependent on exploitation of the zero day.<\/p>\n<p>The\u00a0<a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-device-hardening-thousands-fortinet-credentials-compromised\/823397\/\">Cybersecurity and Infrastructure Security Agency<\/a>\u00a0last month warned that hackers have been targeting both government and private-sector organizations using tens of thousands of compromised Fortinet firewall and virtual private network credentials.<\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/824348\/\">Read the Full Story Here<\/a><\/p>\n<p>Source: Cybersecurity Dive<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx,\u00a0according to a blog post\u00a0Wednesday by cybersecurity firm SOCRadar. An operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said. In certain cases, the attacks may [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1927,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>FortiBleed campaign traced to INC and Lynx ransomware operations - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FortiBleed campaign traced to INC and Lynx ransomware operations - Community\" \/>\n<meta property=\"og:description\" content=\"A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx,\u00a0according to a blog post\u00a0Wednesday by cybersecurity firm SOCRadar. An operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said. In certain cases, the attacks may [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-02T16:40:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png\" \/>\n\t<meta property=\"og:image:width\" content=\"551\" \/>\n\t<meta property=\"og:image:height\" content=\"555\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/\",\"name\":\"FortiBleed campaign traced to INC and Lynx ransomware operations - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png\",\"datePublished\":\"2026-07-02T16:40:31+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#primaryimage\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png\",\"contentUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png\",\"width\":551,\"height\":555},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FortiBleed campaign traced to INC and Lynx ransomware operations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FortiBleed campaign traced to INC and Lynx ransomware operations - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/","og_locale":"en_US","og_type":"article","og_title":"FortiBleed campaign traced to INC and Lynx ransomware operations - Community","og_description":"A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx,\u00a0according to a blog post\u00a0Wednesday by cybersecurity firm SOCRadar. An operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said. In certain cases, the attacks may [&hellip;]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2026-07-02T16:40:31+00:00","og_image":[{"width":551,"height":555,"url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png","type":"image\/png"}],"author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/","name":"FortiBleed campaign traced to INC and Lynx ransomware operations - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#primaryimage"},"image":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png","datePublished":"2026-07-02T16:40:31+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#primaryimage","url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png","contentUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2026\/07\/fortinet.png","width":551,"height":555},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"FortiBleed campaign traced to INC and Lynx ransomware operations"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=1926"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1926\/revisions"}],"predecessor-version":[{"id":1928,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1926\/revisions\/1928"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media\/1927"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=1926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=1926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=1926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}