Issue #013 · July 17, 2026
Cyber Threat Brief — Issue #013
What's active. What matters. What to do about it.
Priority Actions This Week
- 01If your organization runs Fortinet VPN appliances and has not rotated credentials since February 2026, do it now and treat it as urgent. FortiBleed has now been directly linked to two ransomware operations. The credentials stolen from your firewall are not sitting in a database. They are being used to break into organizations and encrypt their files. At least 12 confirmed ransomware deployments have already resulted from this campaign. Credential rotation is no longer optional.
- 02If your organization uses Citrix NetScaler ADC or Gateway configured as a SAML identity provider, patch it today. CVE-2026-8451 was exploited within 24 hours of public disclosure. It is not yet on the CISA KEV catalog but every prior member of the CitrixBleed family landed there within days of confirmed exploitation. Patch to NetScaler ADC 14.1-72.61 or 13.1-63.18 or later. Do not wait for a KEV listing to make this a priority.
- 03Review your Microsoft 365 environment for device code authentication flows and legacy authentication protocols that should be disabled. ARToken, a new phishing-as-a-service platform specifically built to steal Microsoft 365 session tokens and bypass MFA, is being actively marketed and sold. Disable device code flow in Conditional Access policies unless your organization has a documented business requirement for it. Most organizations do not.
- 04If your Fortinet environment uses FortiClient EMS for endpoint management, patch CVE-2026-35616 immediately. eSentire confirmed active exploitation this week against an energy sector organization, deploying EKZ Stealer to harvest browser credentials from Chrome and Firefox via PowerShell. FortiClient EMS is a management server that controls endpoint security across your environment. Compromise gives attackers administrative reach across every managed endpoint.
- 05Security teams that have been tracking FortiBleed should update their threat models. This is no longer a credential theft story. It is a ransomware pipeline story. The 20-person operation behind FortiBleed has a clear division of labor between credential harvesting, access brokering, and ransomware deployment under the INC and Lynx brands. Organizations that had Fortinet VPN credentials harvested in this campaign should assume they are on an active target list for ransomware, not just credential misuse.
Active Campaigns
The story of FortiBleed changed fundamentally this week. SOCRadar's Threat Research Unit gained access to the internal infrastructure of the FortiBleed operation through an operational security failure by the attackers — a Windows server that exposed internal files, logs, and operational documentation. What they found inside changes the threat model for every organization with an internet-facing Fortinet VPN appliance. An operator tied to FortiBleed infrastructure was found actively logged into negotiation panels for both INC Ransom and Lynx ransomware operations simultaneously. Victim data from FortiBleed overlaps directly with victims already tracked on INC Ransom's public leak site. The operation behind FortiBleed is not a lone actor or a small team. Internal documentation reveals an organized group of approximately 20 people with defined roles across scanning, credential sniffing, cracking, access brokering, and ransomware deployment. The credential harvesting was never the end goal. It was the first step in a ransomware pipeline. At least 12 confirmed ransomware deployments have already resulted from credentials harvested in this campaign, with hundreds of endpoints encrypted across the affected organizations. INC Ransom and Lynx are widely assessed by researchers as operated by the same underlying group under different brand names, making this effectively one continuous criminal enterprise running a credential-to-ransomware supply chain at scale.
Citrix patched CVE-2026-8451 on June 30, 2026. Within 24 hours, Lupovis confirmed active exploitation from a Frankfurt-based IP address targeting their sensor network. The flaw is a memory overread vulnerability in how NetScaler parses SAML authentication requests, allowing unauthenticated attackers to read portions of process memory from internet-facing appliances. The leaked data can include credentials, session tokens, and certificate keys. CVE-2026-8451 is the third member of the CitrixBleed family, following CVE-2023-4966, which fed LockBit 3.0 ransomware attacks against Boeing and ICBC, and CVE-2025-5777, which received a one-day CISA patch deadline after exploitation was confirmed before public disclosure. The pattern is consistent across all three: unauthenticated memory disclosure, rapid exploitation after disclosure, CISA KEV listing within days, and eventual ransomware adoption. CVE-2026-8451 is not yet on the CISA KEV catalog. Based on the history of its predecessors, that is a matter of when, not if. The NCSC has issued an urgent patching advisory. Organizations running NetScaler as a SAML identity provider should treat this as a same-day patch regardless of KEV status.
Cisco Talos researchers disclosed ARToken this week, a new phishing-as-a-service platform specifically engineered to steal Microsoft 365 session tokens and establish persistent access that survives password resets and MFA changes. ARToken works by abusing the device code authentication flow in Microsoft 365, a legitimate feature designed for devices without browsers such as smart TVs and printers. Attackers send victims a phishing page that initiates a device code authentication request. When the victim enters their credentials and approves the login, ARToken captures the resulting session token rather than the password. Session tokens grant full account access and remain valid even after a password change. The platform is marketed as a business email compromise tool, with features for persistent inbox monitoring, email rule creation to hide attacker activity, and automated forwarding of sensitive communications. Device code phishing has been observed in nation-state campaigns by Russian and Iranian threat actors for years. ARToken commoditizes the technique and makes it available to any financially motivated attacker willing to pay the subscription fee.
CVE Watch
PRODUCT: Citrix NetScaler ADC and NetScaler Gateway (SAML IDP configurations)
WHAT IT MEANS:
A memory overread vulnerability in Citrix NetScaler's SAML authentication parser allows unauthenticated remote attackers to read portions of the appliance's process memory by sending malformed SAML requests to the login endpoint. The leaked memory can contain credentials, session tokens, and other sensitive data from the appliance's active processes. Only NetScaler appliances configured as SAML identity providers are vulnerable. Exploitation was confirmed within 24 hours of Citrix publishing the patch. This is the third time a CitrixBleed-class flaw has seen rapid weaponization. The first led to LockBit ransomware attacks against Boeing and ICBC. The second received a one-day CISA patch deadline. Based on this pattern, a CISA KEV listing and ransomware adoption should be expected. The NCSC has issued an urgent advisory. Treat this as a same-day patch regardless of whether your scanner has flagged it yet.
ACTION:Patch NetScaler ADC and Gateway to version 14.1-72.61 or 13.1-63.18 or later immediately. If your appliance is configured as a SAML identity provider and was internet-facing before patching, review authentication logs for unexpected SAML requests to the /saml/login endpoint and treat any anomalous session tokens as potentially compromised.
PRODUCT: Fortinet FortiClient EMS (endpoint management server)
WHAT IT MEANS:
A pre-authentication API vulnerability in Fortinet's endpoint management server allows attackers to bypass login requirements, escalate privileges, and move laterally through managed environments. eSentire confirmed active exploitation this week against an energy sector organization, where attackers used the flaw to deploy EKZ Stealer, harvesting credentials from Chrome-based browsers and Firefox via PowerShell. FortiClient EMS is the management server that controls Fortinet endpoint security across an entire organization's device fleet. Compromising it gives attackers administrative reach across every managed endpoint simultaneously. This was previously covered in Issue 004 as ACTIVE. Confirmed exploitation in the energy sector this week elevates the urgency for any organization that has not yet patched.
ACTION:Upgrade FortiClient EMS to version 7.4.7 or later immediately. Restrict API access to known management IP ranges while patching. Audit PowerShell execution logs on endpoints managed by FortiClient EMS for signs of unauthorized credential harvesting activity.
PRODUCT: Citrix NetScaler ADC and NetScaler Gateway (memory overflow)
WHAT IT MEANS:
A companion vulnerability to CVE-2026-8451 patched in the same June 30 Citrix advisory, CVE-2026-8452 is a memory overflow flaw in NetScaler that can cause service disruption and potentially allow for further memory corruption. While CVE-2026-8451 is the primary exploitation target in current attacks, both flaws are addressed in the same patch. Organizations applying the NetScaler update for CVE-2026-8451 will also remediate this companion flaw. Treat them as a pair and verify both are addressed after patching.
ACTION:Apply the same June 30 NetScaler update that addresses CVE-2026-8451. Both vulnerabilities are resolved in versions 14.1-72.61 and 13.1-63.18 or later.
Threat Actor Activity
SOCRadar confirmed through infrastructure access that FortiBleed credential harvesting feeds directly into INC Ransom and Lynx ransomware deployment workflows. The operation is run by approximately 20 people with defined roles. 12 confirmed ransomware deployments to date. Victim data overlaps between FortiBleed and INC Ransom's leak site confirms the pipeline is active and operational. INC and Lynx are widely assessed as the same underlying group operating under two brand names.
Cisco Talos disclosed a new phishing-as-a-service platform that steals Microsoft 365 session tokens via device code authentication abuse. Platform marketed for business email compromise with features for persistent inbox monitoring and automated email rule creation. Commoditizes a technique previously limited to nation-state actors.
Campaign remains live per YesWeHack and Sekoia confirmation. No new repositories identified this week but infrastructure remains active. Security researchers should continue treating all unreviewed PoC code as hostile.
Platform remains live. No updated infection count. Blockchain-based C2 continues operating with no available takedown mechanism.
No new confirmed activity. Full eviction from US telecommunications infrastructure remains unconfirmed.
No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved.
| Actor | Status | Activity |
|---|---|---|
| FortiBleed operators / INC Ransom / Lynx | [ ESCALATING ] | SOCRadar confirmed through infrastructure access that FortiBleed credential harvesting feeds directly into INC Ransom and Lynx ransomware deployment workflows. The operation is run by approximately 20 people with defined roles. 12 confirmed ransomware deployments to date. Victim data overlaps between FortiBleed and INC Ransom's leak site confirms the pipeline is active and operational. INC and Lynx are widely assessed as the same underlying group operating under two brand names. |
| ARToken operators (unattributed) | [ ACTIVE ] | Cisco Talos disclosed a new phishing-as-a-service platform that steals Microsoft 365 session tokens via device code authentication abuse. Platform marketed for business email compromise with features for persistent inbox monitoring and automated email rule creation. Commoditizes a technique previously limited to nation-state actors. |
| ChocoPoC operators (unattributed) | [ ACTIVE ] | Campaign remains live per YesWeHack and Sekoia confirmation. No new repositories identified this week but infrastructure remains active. Security researchers should continue treating all unreviewed PoC code as hostile. |
| WeedHack operators | [ ACTIVE ] | Platform remains live. No updated infection count. Blockchain-based C2 continues operating with no available takedown mechanism. |
| Salt Typhoon | [ MONITORING ] | No new confirmed activity. Full eviction from US telecommunications infrastructure remains unconfirmed. |
| Volt Typhoon | [ MONITORING ] | No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved. |
Key Takeaway
FortiBleed started as a credential harvesting story. It is now a ransomware pipeline story, and that distinction changes everything about how affected organizations should respond. The 20-person operation behind it was never in the business of collecting passwords. It was in the business of breaking into organizations and encrypting their files, and it built a credential harvesting operation at scale to feed that business efficiently. Every organization with an internet-facing Fortinet VPN appliance that has not rotated credentials since February should now assume they are on a ransomware target list, not just a credential exposure list. Separately, CitrixBleed is back for the third time with the same pattern it has followed twice before: unauthenticated memory disclosure, exploitation within hours of disclosure, urgent government advisory, and eventually ransomware deployment. The patch is available. The exploitation is confirmed. The history of what happens next to organizations that wait is well documented. ARToken is the week's quieter but structurally significant story. Device code phishing was a nation-state technique. It is now a subscription service. The gap between what sophisticated threat actors can do and what any financially motivated attacker can rent for a monthly fee continues to close.
Sources
- SOCRadar Threat Research Unit
- F5 Labs
- SecurityWeek
- BleepingComputer
- The Hacker News
- watchTowr Labs
- Lupovis
- Cisco Talos
- eSentire
- NCSC
- RH-ISAC
- Cybersecurity Dive
- GBHackers