Fortinet Patches Two Critical FortiSandbox Vulnerabilities with CVSS 9.1 Scores Fortinet has disclosed two critical vulnerabilities in its FortiSandbox platform, both rated 9.1 on the CVSSv3 scale, which could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication. The flaws, published on April 14, 2026, pose significant risks to enterprises relying on FortiSandbox for threat detection. The first vulnerability, CVE-2026-39808, is an OS command injection flaw in the FortiSandbox API component. It enables attackers to execute unauthorized commands via specially crafted HTTP requests, potentially compromising the sandboxing environment. Affecting FortiSandbox 4.4.0 through 4.4.8, the issue was responsibly disclosed by Samuel de Lucas Maroto of KPMG Spain. Fortinet recommends upgrading to version 4.4.9 or later. The second flaw, CVE-2026-39813, is an authentication bypass via path traversal in the FortiSandbox JRPC API. Exploitable through malicious HTTP requests, it allows privilege escalation without prior authentication. Discovered internally by Fortinet’s Loic Pantano, it impacts FortiSandbox 5.0.0 through 5.0.5 and FortiSandbox 4.4.0 through 4.4.8. Patches are available in versions 5.0.6 and 4.4.9. No active exploitation has been observed, but the unauthenticated attack vectors and high severity scores make these vulnerabilities a priority for remediation. Organizations are advised to apply updates and restrict API access to trusted networks as a temporary mitigation.

Critical Zero-Day in Fortinet FortiClient EMS Under Active Exploitation Fortinet has released an emergency hotfix for a critical zero-day vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server (EMS), which is being actively exploited in the wild. The flaw, rated 9.1 on the CVSSv3 scale, allows unauthenticated attackers to bypass API authentication and authorization controls, enabling arbitrary code or command execution on vulnerable systems. The vulnerability, classified as CWE-284 (Improper Access Control), affects the API layer of FortiClient EMS. Exploitation requires no prior authentication, user interaction, or elevated privileges, making it a severe risk for organizations with internet-exposed EMS deployments. Attackers can send crafted API requests to gain full control over endpoint management operations, compromising confidentiality, integrity, and availability. Only FortiClient EMS versions 7.4.5 and 7.4.6 are impacted; version 7.2.x remains unaffected. Fortinet has released emergency hotfixes for the vulnerable versions, with a permanent fix expected in the upcoming FortiClient EMS 7.4.7. The flaw was discovered by security researchers Simo Kohonen of Defused and independent researcher Nguyen Duc Anh, who observed active exploitation before reporting it to Fortinet under responsible disclosure. Fortinet published its advisory (FG-IR-26-099) and released the hotfix on April 4, 2026. Organizations are advised to apply the patch immediately and monitor EMS logs for suspicious unauthenticated API activity. Restricting external access to the EMS management interface can provide additional protection while patching is underway.

AI-Powered Cyber Threats Outpace Defenses as Anthropic’s Mythos Model Unleashes Unprecedented Exploits In April 2026, Anthropic released its advanced AI model, Mythos, to a limited group of twelve partners under a controlled preview deemed too dangerous for public release. Within just 14 days, the model generated 181 working Firefox exploits, dwarfing the previous state-of-the-art model’s output of two. It also uncovered thousands of zero-day vulnerabilities across major operating systems and browsers, including a 27-year-old flaw in OpenBSD, an OS renowned for its security. Over 99% of these vulnerabilities remain unpatched in production environments. The incident underscores a broader shift: offensive cyber operations now move at machine speed. Earlier in 2026, AWS Threat Intelligence documented a single low-skill attacker leveraging AI to compromise 2,516 FortiGate devices across 106 countries in minutes, exploiting known CVEs and misconfigurations faster than defenders could respond. The window between vulnerability disclosure and exploitation has collapsed. In 2018, the median time from CVE publication to in-the-wild exploitation was 2.3 years; by 2026, it has shrunk to just 10 hours. This acceleration renders traditional vulnerability management assumptions obsolete every disclosed flaw is now a potential immediate threat, with exploits generated via simple prompts rather than specialized expertise. Defensive gaps are further exposed by organizational inefficiencies. While AI-driven attacks complete compromises in 73 seconds, human-led response workflows spanning SIEM alerts, manual SOAR playbooks, and cross-team ticketing stretch patching timelines to 24 hours or more. The bottleneck isn’t tooling but fragmented handoffs between teams, where delays accumulate in Slack messages, PDF reports, and approval queues. To counter this, security programs must prioritize three pillars of resilience: 1. Identify – Comprehensive visibility across networks, endpoints, and cloud environments, with aggressive attack surface management to eliminate blind spots. 2. Protect – Tightly tuned controls focused on credential access, lateral movement, and privilege escalation, rather than generic vendor rules. 3. Validate – Continuous breach and attack simulation (BAS) and autonomous penetration testing to measure real-world exploitability, not just theoretical risk. Without validation, defensive AI becomes guesswork at scale. The Mythos incident reveals a stark reality: AI-driven offense has outpaced human-speed defense, leaving organizations vulnerable to exploits that emerge and spread before patches can be deployed. As boards now treat AI cyber risk as existential, security teams face pressure to adopt autonomous validation closing the gap between detection and remediation before attackers exploit it first.

Global Cyber-Attack Surge in April 2026: Key Trends and Threat Landscape April 2026 marked a sharp rebound in global cyber-attack activity, with organizations facing an average of 2,201 weekly attacks a 10% month-over-month increase and an 8% year-over-year rise. After three months of decline, the surge underscores the volatility of the threat landscape, driven by automation, expanded digital footprints, and vulnerabilities in cloud and GenAI environments. ### Regional and Sectoral Impact Every region saw increased attack volumes, with Latin America remaining the most targeted (3,364 weekly attacks, +20% YoY), followed by APAC (3,213, +4% YoY) and Africa (2,940, -9% YoY). India faced particularly high exposure, averaging 3,300 weekly attacks far above the global average due to rapid digital expansion and cloud adoption. Critical sectors bore the brunt of attacks: - Education was the most targeted globally (4,946 weekly attacks, +8% YoY), followed by Government (2,797, -1% YoY) and Telecommunications (2,728, +3% YoY). - In India, the Education sector saw 7,181 weekly attacks, with Government (4,634), Construction (3,858), and Consumer Goods (3,567) also heavily impacted. ### GenAI and Data Exposure Risks Enterprise adoption of GenAI tools continued to elevate security risks: - 1 in 28 GenAI prompts posed a high risk of sensitive data leakage. - 90% of organizations using GenAI tools were affected, with 19% of prompts containing potentially sensitive information. - The average enterprise used 10 different GenAI tools, with users generating 77 prompts per month, highlighting fragmented adoption and governance gaps. ### Ransomware Expansion Global ransomware attacks rose 5% month-over-month and 12% year-over-year, with 707 incidents reported in April. North America was the hardest hit (46% of attacks), followed by Europe (27%) and APAC (17%). Key ransomware trends: - India faced disproportionate exposure, with 7.0% of organizations impacted (vs. 3.6% globally). - Business Services was the most targeted sector (33.8% of victims), followed by Consumer Goods (14.4%) and Industrial Manufacturing (9.9%). - The U.S. accounted for 41.6% of attacks, with Germany (5.0%), Canada (4.8%), and Italy (4.0%) also heavily affected. ### Dominant Ransomware Groups The ransomware ecosystem remained fragmented but dominated by a few high-output operators: - Qilin led with 15% of attacks, leveraging a Rust-based encryptor and expanded RaaS infrastructure. - The Gentlemen (10%) a fast-growing RaaS group targeted 14,000 pre-exploited FortiGate devices (CVE-2024-55591) and shifted to surgical evasion techniques. - DragonForce (9%) operated a white-label model, absorbing displaced affiliates and partnering with Scattered Spider for high-profile attacks. ### Broader Threat Landscape Insights The rebound in attacks, persistent ransomware growth, and GenAI-driven risks confirm that cyber threats are not stabilizing but oscillating with greater intensity. Attackers continue refining tactics, exploiting seasonal demand, emerging technologies, and governance gaps, reinforcing the need for proactive, multi-layered security strategies.

New Insights into "The Gentlemen" Ransomware Group Revealed Amid Affiliate Leak A ransomware affiliate known as hastalamuerte has exposed operational details of The Gentlemen, a rapidly emerging ransomware-as-a-service (RaaS) group, following internal disputes. Research published by Group-IB on March 19 provides a rare look into the group’s infrastructure, attack methods, and affiliate dynamics. The Gentlemen emerged from a split within the Qilin RaaS ecosystem, leveraging existing tools to establish itself as a new threat. The group employs a dual-extortion model, encrypting victim data while threatening public leaks to pressure payments. Targets span Windows, Linux, and ESXi environments, with initial access often gained through vulnerable FortiGate VPN devices via exploitation or brute-force attacks. Once inside, affiliates use automated lateral movement including PowerShell and Windows Management Instrumentation to harvest credentials, disrupt backups, and deploy domain-wide encryption. The group also employs anti-forensic measures, such as log deletion and Bring Your Own Vulnerable Driver (BYOVD) attacks, to evade detection and hinder recovery. The leak underscores growing tensions within RaaS networks, where disputes among affiliates can expose operational details. The Gentlemen’s rise reflects broader trends in cybercrime, including increased specialization and professionalization of ransomware groups. Their use of advanced evasion techniques and flexible infrastructure continues to challenge traditional security defenses, while internal instability may create opportunities for disruption.

Fortinet Patches High-Severity RCE Vulnerability in FortiManager Fortinet has disclosed a high-severity stack-based buffer overflow vulnerability (CVE-2025-54820) in its FortiManager platform, which could allow remote unauthenticated attackers to execute unauthorized commands. The flaw, rated 7.0 on the CVSSv3 scale, affects the fgtupdates service and requires the service to be actively enabled for exploitation. Exploiting the vulnerability involves sending specially crafted requests to bypass stack protection mechanisms, though the attack complexity limits its severity to "High" rather than "Critical." The issue was responsibly reported by researcher catalpa of Dbappsecurity Co., Ltd., and addressed in Fortinet’s advisory (FG-IR-26-098), published on March 10, 2026. Affected Versions & Remediation The vulnerability impacts on-premises FortiManager deployments, with the following versions at risk: - 7.4.0–7.4.2 (upgrade to 7.4.3+) - 7.2.0–7.2.10 (upgrade to 7.2.11+) - All 6.4 versions (migrate to a fixed release) FortiManager Cloud remains unaffected. Fortinet recommends patching as the primary mitigation, with a temporary workaround of disabling the fgtupdates service via CLI if immediate upgrades are not feasible. Impact & Risks FortiManager is widely used in enterprise and government networks to manage Fortinet security devices. Unauthenticated remote code execution (RCE) vulnerabilities in such platforms are prime targets for threat actors, enabling lateral movement and persistent access across managed infrastructure. Security teams are advised to audit active services, apply patches, and monitor for suspicious activity targeting the fgtupdates endpoint.

March 2026 Cyber Threat Landscape: Ransomware, Access Brokers, and Critical Vulnerabilities Drive Global Risks The cybersecurity threat landscape in March 2026 saw heightened activity, with ransomware attacks, data breaches, and underground access markets shaping a volatile environment. According to Cyble Research & Intelligence Labs (CRIL), financially motivated cybercriminals intensified their operations, targeting industries reliant on uptime or handling sensitive data. ### Ransomware Surges, Dominated by Five Major Groups Ransomware remained the leading attack vector, with 702 incidents recorded globally. Five threat groups Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom accounted for 56% of all activity, leveraging double-extortion tactics to maximize pressure on victims. The most affected sectors included: - Construction - Professional Services - Manufacturing - Healthcare - Energy & Utilities The U.S. was the primary target, influenced by geopolitical tensions, including those involving Iran. ### Compromised Access Market Expands The sale of unauthorized network access surged, with 20 incidents tracked across cybercrime forums. Professional Services (25%) and Retail (20%) were the most targeted sectors. Three threat actors vexin, holyduxy, and algoyim dominated the market, facilitating ransomware, espionage, and financial fraud. ### Data Breaches Expose Massive Volumes of Sensitive Information CRIL documented 54 significant data breaches, with notable incidents including: - "nightly" claiming theft of 5TB of data from Hospitality Holdings, including biometric data and CCTV footage. - XP95 advertising 3.8TB of South African government data for sale. - A breach exposing 95,000 travel records, including passport and payment details. ### Critical Vulnerabilities Exploited at Scale Attackers actively targeted flaws in CISA’s Known Exploited Vulnerabilities (KEV) catalog, including: - CVE-2026-20131 (Cisco Secure Firewall Management Center) - CVE-2025-53521 (F5 BIG-IP APM) - CVE-2026-20963 (Microsoft SharePoint Server) - CVE-2026-33017 (Langflow AI) - CVE-2021-22681 (Rockwell Automation ICS) Both zero-day exploits and unpatched legacy vulnerabilities were weaponized, highlighting persistent patch management gaps. ### Emerging Threats: AI, Supply Chain, and Geopolitical Risks - AI-Driven Attacks: Threat actors used CyberStrikeAI, an open-source framework, to compromise 600+ Fortinet FortiGate devices across 55 countries. - Supply Chain Risks: North Korean-linked actors distributed 26 malicious npm packages containing remote access trojans (RATs) via Pastebin and Vercel. - Geopolitical Cyber Activity: Iran-linked operations are expected to escalate, with potential ransomware and hacktivist campaigns targeting Middle Eastern organizations.

Fortinet Patches High-Severity Authentication Bypass Flaw in FortiOS Fortinet has disclosed a high-severity authentication bypass vulnerability in FortiOS, identified as CVE-2026-22153 (FG-IR-25-1052), which could allow unauthenticated attackers to bypass LDAP authentication for Agentless VPN or Fortinet Single Sign-On (FSSO) policies. The flaw, classified under CWE-305 (Authentication Bypass by Primary Weakness), resides in the fnbamd daemon and stems from improper handling of LDAP authentication requests. Exploitation requires specific LDAP server configurations, such as those permitting anonymous binds, enabling attackers to gain unauthorized access without valid credentials. Fortinet rates the vulnerability as High severity (CVSS v3.1), noting network accessibility but moderate attack complexity. Successful exploitation could lead to improper access control, potentially allowing unauthorized entry into protected networks via SSL-VPN components. ### Affected Versions & Fixes The vulnerability impacts FortiOS 7.6.0 through 7.6.4 exclusively. Other branches including 8.0, 7.4, 7.2, 7.0, and 6.4 remain unaffected. Administrators are advised to upgrade to FortiOS 7.6.5 or later using the official upgrade path tool. As a temporary workaround, organizations can disable unauthenticated binds on their LDAP servers. For Windows Active Directory (Server 2019+), this can be done via the following PowerShell command: ```powershell $configDN = (Get-ADRootDSE).configurationNamingContext $dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN" Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'} ``` The vulnerability was responsibly disclosed by Jort Geurts of Actemium Cyber Security Team and addressed in Fortinet’s latest advisory. The company urges immediate patching for exposed SSL-VPN deployments to mitigate risks in enterprise environments relying on LDAP integration.

Critical SQL Injection Flaw in Fortinet FortiClient EMS Exposes Organizations to Remote Attacks A severe security vulnerability in Fortinet’s FortiClient EMS (Endpoint Management Server) has been disclosed, allowing unauthenticated attackers to execute remote code on vulnerable systems. Tracked as CVE-2026-21643, the flaw was revealed on February 6, 2026, and carries a CVSS score of 9.1, classifying it as critical. The vulnerability stems from an SQL injection (SQLi) flaw in the FortiClient EMS administrative interface, where improper sanitization of user input enables attackers to manipulate database queries. Exploitation requires no authentication attackers can send crafted HTTP requests to vulnerable servers over the network, potentially leading to full system compromise. Consequences include data theft, malware deployment, or lateral movement within an organization’s network. The flaw affects FortiClient EMS version 7.4.4 exclusively. Versions 7.2 and 8.0, as well as FortiEMS Cloud users, remain unaffected. Fortinet has released version 7.4.5 to patch the issue, urging organizations to upgrade immediately. The vulnerability was discovered internally by Gwendal Guégniaud of Fortinet’s Product Security team, highlighting the role of proactive security research in mitigating risks. System administrators are advised to prioritize patching, verify vulnerable installations, and monitor network logs for suspicious activity targeting the administrative interface. The swift disclosure timeline underscores the severity of the threat.

AI-Powered CyberStrikeAI Tool Emerges as a Growing Threat to Fortinet FortiGate Devices A new offensive security tool, CyberStrikeAI, is being actively used by threat actors to target Fortinet FortiGate appliances, marking a significant escalation in AI-driven cyberattacks. Developed by a China-based individual with suspected ties to state-sponsored operations, the open-source platform integrates over 100 security tools with an AI orchestration engine, enabling large-scale, automated exploitation campaigns. First identified by Amazon’s CTI team, CyberStrikeAI is written in Go and hosted on GitHub under the alias "Ed1s0nZ." The tool features a centralized dashboard for monitoring operations, role-based testing, and lifecycle management, lowering the technical barrier for attackers. Analysis by Team Cymru linked the tool to an IP address (212.11.64.250) actively scanning FortiGate devices, with 21 unique IPs detected running the platform between January and February 2026 primarily in China, Singapore, and Hong Kong. The developer, Ed1s0nZ, has a history of creating AI-driven exploitation tools, including PrivHunterAI (privilege escalation detection) and InfiltrateX (automated vulnerability scanning). More concerning are their connections to Chinese state entities: in December 2025, they submitted CyberStrikeAI to the Starlink Project, managed by Knownsec 404, a firm linked to the Chinese Ministry of State Security (MSS). Additionally, Ed1s0nZ previously received a "Level 2 Contribution Award" from the Chinese National Vulnerability Database (CNNVD), another MSS-affiliated program, before scrubbing the reference from their profile. The rapid adoption of CyberStrikeAI signals a shift toward AI-native attack frameworks, enabling threat actors to automate reconnaissance and exploitation at scale. Given the developer’s affiliations, security researchers warn the tool may soon be leveraged by Chinese state-sponsored APT groups, increasing the risk of sophisticated attacks on vulnerable edge infrastructure.

Storm-2561 Exploits SEO Poisoning and Fake VPN Installers in Credential Theft Campaign Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign targeting enterprise VPN users by abusing SEO poisoning and trojanized VPN installers. The group leverages fake, code-signed software to harvest VPN credentials and configuration data, exploiting trust in search results and legitimate security certificates. In mid-January 2026, Microsoft Defender Experts identified a renewed campaign where Storm-2561 manipulated search engine results to direct victims to spoofed VPN download sites, such as vpn-fortinet[.]com and ivanti-vpn[.]org. These domains mimicked well-known VPN vendors, including Fortinet, Pulse Secure, and Ivanti, before redirecting users to a now-removed malicious GitHub repository hosting a ZIP file (VPN-CLIENT.zip) containing a trojanized MSI installer. The installer, disguised as a legitimate VPN client, deployed signed malware components including Pulse.exe, dwmapi.dll, and inspector.dll under a path imitating a real Pulse Secure installation (%CommonFiles%\Pulse Secure). The dwmapi.dll acted as an in-memory loader, executing shellcode to load inspector.dll, a variant of the Hyrax information stealer. This malware targeted stored VPN credentials and configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat, exfiltrating them to a command-and-control server at 194.76.226[.]93:8080. A key tactic in this campaign was the abuse of a legitimate code-signing certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked. The signed MSI and DLLs bypassed Windows security warnings and evaded detection by some security tools, lending the malware a false appearance of legitimacy. Additional signed samples, including Sophos-Connect-Client.exe and GlobalProtect-VPN.exe, indicated a broader distribution effort under the same certificate. The fake VPN client displayed a realistic GUI mimicking Pulse Secure, prompting users for credentials before exfiltrating them and displaying a fake error message. To avoid suspicion, the malware sometimes redirected victims to the official vendor site, ensuring they ultimately installed a legitimate VPN leaving no immediate signs of compromise. Persistence was maintained via the Windows RunOnce registry key, ensuring the malware executed at reboot. Microsoft Defender Antivirus detects the payloads as Trojan:Win32/Malgent and TrojanSpy:Win64/Hyrax, while Defender for Endpoint can block active infections and flag unusual VPN process execution. The campaign highlights Storm-2561’s reliance on SEO manipulation, brand impersonation, and code-signing abuse to monetize stolen credentials.

Fortinet Discloses Critical FortiSIEM Vulnerability Allowing Remote Code Execution On January 13, 2026, Fortinet issued an advisory warning of a critical OS command injection vulnerability in FortiSIEM, tracked as CVE-2025-64155 (CVSS: High). The flaw, classified under CWE-78 (improper neutralization of special elements in OS commands), affects the phMonitor component on port 7900. The vulnerability enables unauthenticated attackers to execute arbitrary code by sending maliciously crafted TCP requests to FortiSIEM’s Super and Worker nodes, potentially leading to full system compromise. No authentication is required for exploitation, increasing the risk of widespread attacks. Fortinet has not disclosed active exploitation in the wild, but organizations using FortiSIEM are urged to apply patches or mitigations promptly. The advisory highlights the severity of the issue, given FortiSIEM’s role in security information and event management (SIEM) for enterprise environments.

Sophisticated Phishing Campaign Targets Fortinet VPN Users via SEO Poisoning and AI Tactics A newly uncovered phishing campaign is impersonating Fortinet’s official VPN download portal to steal corporate credentials and deploy malware. The attack, dubbed FORTI-FAKE, employs SEO poisoning and AI-generated search summaries to manipulate search engine results, tricking remote workers and IT administrators into visiting malicious sites. Operators behind the campaign—linked to Eastern Europe (Ukraine/Russia border) and Southeast Asia (Vietnam/Cambodia)—use bulletproof hosting in cities like Ho Chi Minh City and Bucharest to evade detection. Unlike opportunistic phishing, this is a professionally orchestrated operation, leveraging multi-stage redirects that abuse trusted domains to bypass security filters. Once victims land on the fake portal, the attack delivers infostealers (e.g., RedLine or Vidar), designed to harvest VPN credentials and gain footholds into corporate networks. The campaign’s sophistication—combining AI-generated content, SEO manipulation, and trusted-domain chaining—highlights a shift in phishing tactics, where search engines themselves become part of the attack chain. The impact extends beyond individual users: compromised VPN access can grant attackers full network entry, enabling ransomware deployment or data exfiltration. Traditional defenses, such as URL reputation checks, struggle to detect these layered redirects, underscoring the need for real-time threat intelligence and heightened scrutiny of search-driven threats.

AI-Powered Cyberattacker Compromises 600+ FortiGate Devices in Global Campaign A recent investigation by Amazon Threat Intelligence has exposed a new threat: an AI-augmented cybercriminal with limited technical expertise who breached over 600 FortiGate security devices across 55 countries in just 38 days (11 January–18 February 2026). The Russian-speaking attacker leveraged commercial AI services to automate and scale their operations, transforming basic hacking techniques into a high-efficiency intrusion campaign. ### How the Attack Unfolded The attacker used AI-generated Python and Go scripts to scan the internet for exposed management ports (443, 8443, 10443, 4443) a tactic that eliminated the need for manual reconnaissance. Rather than deploying sophisticated exploits, they relied on AI-assisted brute-forcing of common or stolen passwords to gain initial access. Once inside, the attacker employed AI to map internal networks and deploy well-known offensive tools like Meterpreter and Mimikatz to extract credentials from Active Directory servers. A key objective was locating Veeam Backup & Replication servers, enabling them to disable data recovery options a tactic that could force victims into paying ransoms by eliminating their ability to restore systems. ### AI’s Double-Edged Role While AI amplified the attacker’s capabilities, it also became a critical weakness. The AI-generated code was effective for simple tasks but failed under complex conditions, particularly when attempting to exploit vulnerabilities like CVE-2019-7192 and CVE-2023-27532. The campaign’s success was concentrated in regions with weaker security postures, including South Asia, Southeast Asia, Latin America, West Africa, and Northern Europe. ### Defensive Takeaways The incident underscores that AI-driven attacks are lowering the barrier to entry for cybercriminals, but traditional security measures remain effective. The attacker’s failures against patched systems and advanced exploits highlight the importance of basic cyber hygiene, including: - Restricting public access to management ports. - Enforcing Multi-Factor Authentication (MFA) to neutralize password-based attacks. - Avoiding password reuse between security devices and corporate networks. - Promptly applying security patches to close known vulnerabilities. The case serves as a stark reminder that even low-skilled threat actors can inflict widespread damage when armed with AI while also demonstrating that fundamental security practices can still thwart such campaigns.

Ransomware Activity Stabilizes at Elevated Levels in Q1 2026, Shifting Tactics and Targets The first quarter of 2026 marked a period of sustained ransomware activity, with attack volumes remaining steady compared to both the previous quarter and the same period in 2025, according to GuidePoint Security’s Ransomware and Cyber Threat Insights report. After a late-2025 surge, the threat landscape has settled into a "new normal," with no significant spikes or declines in victim counts or active ransomware groups. ### Key Trends in Ransomware Activity The most active ransomware group, Qilin, claimed 361 victims a 25% drop from its Q4 2025 peak of 484. Meanwhile, The Gentlemen, a relative newcomer that ranked 16th in Q4 2025 with just 35 victims, surged to 182 victims, becoming the second-most active group. Akira, another long-standing player, saw a 22% decline in activity (from 226 to 176 victims), likely due to the waning effectiveness of its exploitation of SonicWall SSL VPN vulnerabilities. Clop continued its prolonged extortion campaign, posting victims in Q1 2026 from breaches that occurred in late 2025 a tactic consistent with its history of stretching out disclosures over months. ### Geographic and Sector Shifts The U.S. remained the top target, accounting for 51% of all ransomware victims (1,084 incidents), followed by the U.K. and Canada (4% each, 88 incidents). Thailand entered the top 10 for the first time, signaling growing ransomware impacts in developing economies. Brazil and India also remained frequent targets, reflecting persistent threats to emerging markets. While manufacturing remained the most targeted sector, construction saw a 44% year-over-year increase, pushing it into the top five. This shift suggests attackers are expanding into industries with weaker cybersecurity defenses but valuable operational data. ### Evolving Tactics: Extortion Over Encryption Ransomware groups are increasingly abandoning traditional encryption-based attacks in favor of data theft and extortion-only operations. This approach reduces operational complexity while maintaining pressure on victims through the threat of public data leaks. ### Emerging and Declining Threat Groups - NightSpire, a financially motivated group operating since 2025, claimed 74 victims in Q1 2026 alone, primarily targeting SMBs with unpatched FortiOS/FortiProxy vulnerabilities (CVE-2024-55591). The group relies on living-off-the-land tools (PowerShell, PsExec, WMI) to evade detection. - Scattered Spider, LAPSUS$, and ShinyHunters rebranded under the unified banner "Scattered LAPSUS$ Hunters" in August 2025, though the move reflected overlapping membership rather than a true merger. The group remains highly efficient, compressing attack timelines to 24–48 hours and has been linked to over $66 million in extortion demands since 2022. - Akira, one of the longest-operating RaaS groups (active since 2023), saw its victim count drop after peaking in Q4 2025, likely due to declining exploitation of SonicWall flaws. ### AI Supply Chain Attack Highlights New Risks In February 2026, VirusTotal reported the first large-scale supply chain attack on an AI platform, targeting OpenClaw’s skills marketplace. Attackers published 314 malicious "skills" automation tools disguised as legitimate software that delivered information-stealing malware. The incident underscored the growing risks of agentic AI systems, which rely on instruction-based (rather than code-based) extensions, making traditional malware detection less effective. ### Outlook: Stability with Potential Disruptions While Q1 2026 saw no major shifts in overall ransomware volume, GuidePoint warned that periods of stability have historically been short-lived. The report noted that law enforcement actions, internal conflicts, or new group formations could disrupt the current equilibrium. Additionally, a mid-year "summer slowdown" a recurring dip in victim claims between Q2 and Q3 may temporarily reduce activity before potential resurgences later in the year.

Coordinated Cyberattacks Target Poland’s Critical Infrastructure in December 2025 On 29 December 2025, a series of destructive cyberattacks struck Poland’s energy and industrial sectors, orchestrated by a Russia-linked threat actor tracked as Static Tundra (also known as Berserk Bear, Ghost Blizzard, and Dragonfly). Poland’s CERT Polska confirmed the attacks targeted renewable energy facilities, a heat and power (CHP) plant, and a private manufacturing company, though no disruptions to energy generation or distribution occurred. ### Initial Access & Tactics The attackers exploited internet-exposed FortiGate VPN devices used as perimeter firewalls and VPN concentrators without multi-factor authentication (MFA). In all cases, compromised credentials allowed initial access, with attackers leveraging stolen configurations in some instances. ### Renewable Energy Sector Disruptions At least 30 wind and solar farms were hit, with attackers focusing on substation control systems interfacing with distribution operators. Compromised equipment included: - RTU controllers, protection relays, and HMI computers - Hitachi Energy, Mikronika, and Moxa devices in industrial automation environments Destructive actions corrupted firmware, file deletions, and factory resets led to lost communication between facilities and operators, though power generation continued uninterrupted. ### Heat & Power Plant Sabotage Attempt A CHP plant supplying heat to nearly half a million customers was targeted in a prolonged intrusion dating back months. Attackers conducted: - Internal reconnaissance and credential theft (including Active Directory admin access) - Lateral movement across servers and workstations - Deployment of DynoWiper malware via Group Policy Objects (GPOs) An EDR platform blocked the wiper’s execution, limiting damage. Evidence suggests preparations began earlier in 2025, indicating a long-term operation. ### Manufacturing Company Attack A private manufacturing firm was also targeted opportunistically. Attackers: - Gained access via a Fortinet device with a publicly leaked configuration - Modified settings to maintain persistence despite credential changes - Deployed LazyWiper, a PowerShell-based wiper distributed via GPOs, designed to destroy business-critical data CERT Polska noted the wiper’s file-overwriting function may have been generated by an LLM. ### Impact & Attribution While the attacks disrupted monitoring and control systems, they failed to halt energy production. All incidents were linked to the same threat actor, with tactics aligning with known Russian cyberespionage and sabotage operations. The use of wiper malware, stolen credentials, and prolonged reconnaissance underscores the highly targeted and destructive nature of the campaign.

Fortinet Firewall Vulnerabilities Exploited in Active Attacks Attackers are actively exploiting a recently disclosed vulnerability (CVE-2025-59718) to bypass authentication on Fortinet’s FortiGate firewalls, enabling them to export sensitive system configuration files. Arctic Wolf researchers reported the campaign on Tuesday, warning that stolen configurations may contain network infrastructure details, security policies, and encrypted credentials—data that could facilitate future attacks. The vulnerability, along with a related flaw (CVE-2025-59719), stems from improper cryptographic signature verification. Both can be exploited by sending a crafted SAML response to a vulnerable device, tricking it into granting unauthorized access. CVE-2025-59718 affects FortiOS (FortiGate), FortiProxy, and FortiSwitchManager, while CVE-2025-59719 impacts FortiWeb. Fortinet disclosed the vulnerabilities on December 9, 2025, and released patches, advising customers to upgrade or disable the FortiCloud SSO login feature if enabled. The flaw is not active by default but can be triggered if administrators register devices to FortiCare without disabling the "Allow administrative login using FortiCloud SSO" option. Arctic Wolf observed intrusions beginning December 12, with attackers using malicious SSO logins—primarily targeting the admin account—before exfiltrating configurations via the GUI. The attacks originated from IP addresses linked to multiple hosting providers. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating U.S. federal agencies to remediate the flaw by December 23, 2025. Organizations using affected Fortinet products are advised to check logs for suspicious activity and reset compromised credentials if breaches are detected.

Fortinet Disables FortiCloud SSO After Zero-Day Exploitation Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service following the active exploitation of a zero-day authentication bypass vulnerability (FG-IR-26-060) affecting multiple products. The flaw, classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), allows attackers with a malicious FortiCloud account to gain unauthorized access to devices registered under other accounts. The vulnerability impacts FortiOS, FortiManager, and FortiAnalyzer when FortiCloud SSO is enabled though not active by default, it is often enabled during FortiCare registration. Exploitation grants attackers administrative access, even on fully patched systems. While the issue also affects all SAML SSO implementations, attacks have so far been limited to FortiCloud SSO. FortiWeb and FortiSwitch Manager remain under investigation, with no confirmed patches available. ### Affected Versions & Fixes Fortinet has released fixed versions for impacted products, with many updates scheduled for January 27, 2026. Customers are advised to upgrade to the following versions: - FortiAnalyzer: 7.6.6+, 7.4.10+, 7.2.12+, 7.0.16+ - FortiManager: 7.6.6+, 7.4.10+, 7.2.13+, 7.0.16+ - FortiOS: 7.6.6+, 7.4.11+, 7.2.13+, 7.0.19+ - FortiProxy: 7.6.6+, 7.4.13+ (migration required for 7.2/7.0) ### Indicators of Compromise (IoCs) Attackers leveraged specific FortiCloud accounts and IP addresses, including: - Malicious SSO Accounts: `cloud-noc@mail[.]io`, `cloud-init@mail[.]io` - Primary IPs: `104.28.244[.]115`, `104.28.212[.]114`, `104.28.195[.]105` - Suspicious Local Admins: `audit`, `backup`, `itadmin`, `secadmin`, `support` Key log patterns include successful SSO logins (`logid="0100032001"`) from suspicious IPs and unauthorized admin account creations (`logid="0100044547"`). Post-exploitation, attackers downloaded configurations and installed backdoor admins for persistence. ### Timeline & Response - January 22, 2026: Fortinet detected exploitation and locked malicious accounts. - January 26, 2026: FortiCloud SSO was disabled server-side. - January 27, 2026: Service restored with blocks on vulnerable devices; PSIRT advisory FG-IR-26-060 published. This incident follows December 2025 advisories (FG-IR-25-647) on related SSO bypasses (CVE-2025-59718, CVE-2025-59719), which were patched in some branches but bypassed via a new attack vector. No CVSS score has been assigned, as the flaw remains a zero-day without a CVE. Mitigation steps include restricting admin access to trusted IPs, disabling FortiCloud SSO if necessary, and monitoring for further updates from Fortinet’s PSIRT. Post-compromise actions involve firmware upgrades, config restoration, credential rotation, and auditing VPN/LDAP integrations.

Sicarii Ransomware: A Geopolitically Motivated Threat Emerges with Israeli Affiliations In December 2025, a new ransomware-as-a-service (RaaS) operation named Sicarii surfaced on underground platforms, distinguishing itself through its overt Israeli or Jewish affiliations. Unlike typical financially driven ransomware groups, Sicarii incorporates Hebrew text, the Haganah symbol, and references to historical Jewish militant groups in its branding an unusual departure from the operational secrecy of most cybercriminal enterprises. The group explicitly targets organizations in Arab and Muslim countries, employing a geo-fencing mechanism to avoid Israeli systems. The malware checks time zones, keyboard layouts, and IP addresses to confirm local targets before execution, reinforcing its ideological focus. ### Technical Sophistication & Attack Chain Sicarii’s infrastructure is highly advanced, beginning with an anti-virtualization phase that detects sandbox environments and displays fake error messages to evade analysis. Once active, the malware: - Copies itself to the temporary directory as svchost_{random}.exe. - Tests internet connectivity via google.com/generate_204 to ensure operational readiness. - Performs aggressive network reconnaissance, including ARP requests and RDP service scans. - Exploits Fortinet devices using CVE-2025-64446, a vulnerability enabling lateral movement within compromised networks. ### Data Exfiltration & Destructive Payload The ransomware harvests system credentials, browser data, and application information from platforms like Discord, Slack, Telegram, and cryptocurrency wallets, packaging it into collected_data.zip and exfiltrating via file.io. After data theft, it establishes persistence through: - Registry modifications - Service creation - New user accounts with hardcoded credentials The encryption phase uses AES-GCM (256-bit keys), appending the .sicarii extension to locked files. A final destructive component corrupts bootloader files, forcing an immediate system shutdown escalating the attack beyond typical ransomware tactics. Sicarii’s blend of ideological targeting, technical sophistication, and destructive capabilities marks a concerning evolution in ransomware operations, particularly for organizations in its crosshairs.

The critical CVE-2025-64446 vulnerability in Fortinet FortiWeb WAF allows unauthenticated attackers to gain administrative access via a relative path-traversal flaw (CWE-23). Exploitation enables full system control, including disabling security measures, intercepting sensitive data (e.g., credentials, financial transactions), and lateral movement into corporate networks. While no confirmed ransomware link exists, the flaw’s severity—CVSS Critical—and active exploitation by threat actors pose immediate operational risks, including data breaches, unauthorized command execution, and potential downstream infrastructure compromise. CISA’s 7-day remediation deadline (Nov 21, 2025) underscores the urgency, with federal agencies and private organizations at risk of deep network infiltration, privilege escalation, and exposure of protected applications. Failure to patch could lead to sustained attacker presence, data exfiltration, or disruption of business-critical services.

A critical path traversal vulnerability (CVE pending) in Fortinet’s FortiWeb web application firewall (WAF) is being actively exploited globally, allowing unauthenticated attackers to create administrative accounts on unpatched devices. The flaw, present in versions 8.0.1 and earlier, enables threat actors to bypass authentication via a crafted HTTP POST request to the endpoint `/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi`. Attackers are automating mass scans and deploying preconfigured credentials (e.g., usernames like Testpoint, trader1; passwords like 3eMIXX43, AFT3$tH4ck) to gain persistent admin access.Security researchers (Defused, PwnDefend, watchTowr Labs) confirm widespread exploitation, with IPs (e.g., 107.152.41.19, 144.31.1.63) linked to unauthorized account creation. While Fortinet released a patch (8.0.2) in late October, the lack of a public advisory or CVE assignment delays mitigation awareness. Organizations are urged to immediately update, audit admin accounts, block public access to management interfaces, and inspect logs for `fwbcgi` requests. The vulnerability serves as a foothold for deeper network infiltration, risking lateral movement into corporate environments if left unaddressed.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about CVE-2025-58034, a critical OS command injection vulnerability in Fortinet FortiWeb, which is actively exploited in real-world attacks. The flaw (CWE-78) allows authenticated attackers with access to the management interface or API to execute arbitrary OS commands via malicious HTTP requests or CLI inputs. Successful exploitation grants attackers full control over the FortiWeb appliance, enabling lateral movement into protected internal networks behind the firewall.Given FortiWeb’s widespread deployment across thousands of enterprises globally, the risk of large-scale compromise is severe. While no direct data breach or ransomware has been confirmed in the article, the vulnerability’s active exploitation poses an immediate threat to organizational security posture, potentially leading to unauthorized system takeover, data exposure, or operational disruption if left unpatched. CISA mandates immediate patching or mitigation (e.g., network segmentation, enhanced monitoring) to prevent escalation. Failure to remediate could result in full infrastructure compromise, particularly in environments where FortiWeb protects critical assets.

Groups linked with the Play ransomware have exploited more than 900 organizations, including exploiting a security flaw in the remote-access tool SimpleHelp if not patched. The ransomware operators use double-extortion techniques, stealing and encrypting sensitive data, then threatening to release it unless ransom is paid. The criminals gain access through various means, including stolen credentials and exploiting old vulnerabilities. The FBI warns that multiple ransomware groups have exploited this flaw, leading to significant data breaches and potential financial losses.

Fortinet has patched a critical vulnerability (CVE-2025-32756) that has been exploited in the wild to compromise FortiVoice phone / conferencing systems. The vulnerability is a stack-based overflow that can lead to remote code and command execution by unauthenticated attackers. Attackers have used it to perform scans of the device network, erase system crashlogs, enable “fcgi debugging” setting to log credentials from the system or SSH login attempts, and drop malware. The vulnerability also affects FortiMail, FortiNDR, FortiRecorder, and FortiCamera, but the attackers have only used it to target FortiVoice installations. Users are advised to upgrade to fixed releases for the affected solutions.

Storm-2561 Credential Theft Campaign Exploits SEO to Target Enterprise VPN Users Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign by manipulating search engine rankings to distribute fake VPN software. The operation targets employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to spoofed websites that deliver malicious download packages. Victims who install the fake software unknowingly expose their VPN credentials, which are silently harvested and sent to attacker-controlled servers. The campaign leverages SEO poisoning to push fraudulent sites to the top of search results for queries such as “Pulse VPN download.” These sites mimic legitimate vendor portals, complete with logos and download buttons, while hosting malicious ZIP files on GitHub repositories since removed. The trojans were digitally signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”, which has since been revoked. Microsoft Defender Experts identified the campaign in mid-January 2026, attributing it to Storm-2561 based on its history of malware distribution through SEO abuse and software impersonation. After credential theft, the fake VPN client displays a convincing error message before redirecting the victim to the official vendor website, ensuring no visible signs of compromise. The attack delivers its payload via a Windows Installer (MSI) package disguised as a legitimate Pulse Secure installer, dropping malicious DLL files (dwmapi.dll and inspector.dll) that function as an in-memory loader and a variant of the Hyrax infostealer. The malware exfiltrates credentials to 194.76.226[.]93:8080 and maintains persistence via the Windows RunOnce registry key. The campaign extends beyond Pulse Secure, with additional fake installers for GlobalProtect VPN and Sophos Connect discovered under the same certificate. Stolen credentials enable lateral movement within corporate networks, unauthorized data access, and follow-on attacks, posing a significant risk to enterprises relying on VPNs for remote operations. The attack’s sophistication combining realistic spoofing, legitimate-looking signatures, and post-compromise redirection makes detection particularly challenging.

Anthropic Accidentally Leaks Claude Code Source, Exposing Internal AI Systems Anthropic has inadvertently leaked the source code for Claude Code, its widely adopted AI-powered coding assistant, exposing roughly 500,000 lines of code across 1,900 files. The incident, confirmed by the company as a "release packaging issue" caused by human error, occurred when internal code was mistakenly uploaded to NPM a platform for software distribution instead of the final, compiled version. The leak follows a separate accidental disclosure earlier this month, in which a draft blog post revealed details about Mythos (also referred to as Capybara), an upcoming AI model described as more powerful and potentially more dangerous than Anthropic’s current flagship, Opus. While the latest breach did not expose model weights or customer data, cybersecurity experts warn it could allow competitors to reverse-engineer Claude Code’s underlying "agentic harness" the software layer that governs the AI’s behavior, tool integration, and safety guardrails. This could enable the creation of open-source alternatives or help rivals refine their own AI systems. Security researcher Roy Paz of LayerX Security noted that the leaked code also provided further evidence of Capybara, Anthropic’s next-generation model, which is expected to surpass Opus in capability and cost. The draft blog post previously described it as a new tier, with "fast" and "slow" variants likely replacing Opus as the company’s most advanced offering. Paz highlighted concerns that the exposed code may reveal vulnerabilities in how Claude Code interacts with Anthropic’s internal systems, potentially allowing malicious actors including nation-states to exploit the AI for cyberattacks or bypass existing safeguards. Anthropic’s Opus model is already classified as a high-risk tool due to its ability to autonomously identify zero-day vulnerabilities, a capability that could be weaponized by threat actors. This is not the first time the company has faced such an exposure; in February 2025, an early version of Claude Code was similarly leaked, revealing internal workings and system connections before being removed. The company has stated it is implementing measures to prevent future incidents but has not disclosed further details. The leak underscores the challenges of securing proprietary AI systems as adoption and scrutiny of advanced models continues to grow.

CyberStrikeAI: Open-Source AI Tool Targets Fortinet FortiGate Devices in Global Campaign Researchers at Team Cymru have uncovered CyberStrikeAI, an open-source offensive security tool leveraging AI to target Fortinet FortiGate devices worldwide. Developed by GitHub user Ed1s0nZ, the Go-based platform integrates over 100 security tools, featuring an intelligent orchestration engine, role-based testing, and a dashboard for full attack lifecycle management. First published on November 8, 2025, the tool gained traction in early 2026. Between January 20 and February 26, 2026, Team Cymru detected 21 unique IP addresses running CyberStrikeAI, signaling a sharp rise in threat actor adoption. Amazon Threat Intelligence identified a key server (212.11.64[.]250) linked to a campaign compromising over 600 FortiGate devices across 55 countries from January 11 to February 18. Team Cymru’s Scout platform confirmed the tool’s service banner on port 8080, with NetFlow data showing direct communications to FortiGate appliances. The infrastructure last executed the tool on January 30, 2026. Ed1s0nZ’s ties to Chinese state actors raise concerns. On December 19, 2025, they submitted CyberStrikeAI to the Knownsec 404 Starlink Project, linked to China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA). On January 5, 2026, they received a CNNVD Level 2 Contribution Award overseen by the MSS before deleting the post, likely to obscure affiliations. Additional repositories, such as PrivHunterAI (privilege escalation detection) and InfiltrateX (scanning), further indicate a focus on exploitation. Attackers used CyberStrikeAI’s AI to generate step-by-step attack plans, command sequences, and methods, exploiting exposed management ports and weak single-factor authentication to steal credentials. No zero-days were required most compromised servers were hosted in China, Singapore, and Hong Kong, aligning with a Chinese developer base. Team Cymru warns that accessible AI-driven tools like CyberStrikeAI will accelerate adoption by Chinese APT groups, enabling automated, large-scale exploits against vulnerable network edges. The blurring line between offensive tools and legitimate security testing heightens risks for global networks.

AI-Powered Ransomware Surge: A 389% Spike in Global Victims in 2025 Fortinet’s 2026 Global Threat Landscape Report reveals a staggering 389% year-over-year increase in confirmed ransomware victims, with attacks rising from 1,600 in 2024 to 7,831 in 2025. The surge is driven by the proliferation of AI-powered cybercrime tools, such as WormGPT, FraudGPT, and BruteForceAI, which have lowered the barrier to entry for threat actors. These tools, sold openly on dark web marketplaces, enable even low-skilled attackers to launch sophisticated campaigns, transforming ransomware into a structured, end-to-end criminal operation. FortiGuard Labs’ telemetry data, mapped across the MITRE ATT&CK framework, shows that cybercrime networks now rely on access brokers, botnet operators, and shadow agents to accelerate attacks. The time-to-exploit (TTE) window has collapsed, with critical vulnerabilities now targeted within 24–48 hours down from an average of 4.76 days. A real-world example includes the React2Shell vulnerability, which saw active exploitation attempts within hours of disclosure. The manufacturing sector suffered the highest impact, with 1,284 confirmed victims, followed by business services (824) and retail (682). Geographically, the U.S. led with 3,381 victims, trailed by Canada (374) and Germany (291), reflecting the financial attractiveness of these targets. A key driver of the ransomware surge is the rise of AI-powered stealer malware, which now dominates dark web data markets. Stealer logs accounting for 67.12% of all shared datasets provide attackers with full browser sessions, cookies, and authentication tokens, enabling immediate impersonation of victims. RedLine malware led with 911,968 infections (50.8% of stealer activity), followed by Lumma (499,784) and Vidar (236,778). The availability of these logs surged 79% in 2025, compounding a 500% increase from the previous year, making credential-based intrusions faster and harder to detect.

Ransomware Evolves into Stealthier, More Destructive Threat in 2026 In 2026, ransomware attacks have shifted from opportunistic strikes to highly calculated, multi-stage operations, adapting to global anti-ransomware efforts. A new Kaspersky report reveals that while overall attack volumes declined in 2025, the sophistication of these threats has surged with manufacturing alone facing an estimated $18 billion in potential losses. Attackers are now exploiting trusted system components to evade detection before deploying their payloads. A key tactic is the "Bring Your Own Vulnerable Driver" (BYOVD) technique, where cybercriminals use legitimate, signed drivers to disable security tools including EDR killers that terminate monitoring agents. This method turns evasion into a repeatable phase of the attack lifecycle, systematically eroding defensive visibility. Ransomware developers are also future-proofing their malware with post-quantum cryptography, such as the PE32 family’s use of ML-KEM (Kyber1024), which offers encryption strength comparable to AES-256. This ensures victims have virtually no chance of recovering files without paying. With global ransom payments dropping to just 28% in 2025, threat actors are pivoting to encryptionless extortion. Instead of locking files, they steal sensitive data and threaten public disclosure, turning ransomware into a data security and compliance crisis one that backups alone cannot mitigate. The criminal ecosystem has also seen a shift. Following the disappearance of RansomHub in 2025, Qilin has emerged as the dominant ransomware-as-a-service (RaaS) platform, while new groups like "The Gentlemen" operate with structured, business-like efficiency. Other emerging actors Devman, MintEye, and DireWolf demonstrate how low the barrier to entry remains, often targeting enterprise hardware from Fortinet, SonicWall, and Cisco. As ransomware evolves, organizations face an increasingly hostile landscape where even their own security tools are under siege.

Fortinet Patches High-Severity RCE Vulnerability in FortiManager Fortinet has disclosed a high-severity vulnerability (CVE-2025-54820, CVSS 7.0) in its FortiManager platform, which could allow remote attackers to execute unauthorized commands. The flaw, a stack-based buffer overflow (CWE-121) in the fgtupdates service, enables threat actors to send crafted network requests to exploit the system if the service is active. Successful exploitation could grant attackers control over network security policies or disrupt critical infrastructure, given FortiManager’s role in managing multiple Fortinet security devices. The vulnerability affects older FortiManager versions, including: - 7.4.0–7.4.2 - 7.2.0–7.2.10 - All 6.4 releases FortiManager 7.6 and FortiManager Cloud deployments remain unaffected. Fortinet has released patches for impacted versions, urging organizations to upgrade to 7.4.3+, 7.2.11+, or migrate from unsupported 6.4 branches. For temporary mitigation, administrators can disable the fgtupdates service via the CLI. The flaw was responsibly reported by security researcher Catalpa of Dbappsecurity Co., Ltd. While exploitation requires bypassing stack protections, the potential impact underscores the urgency of applying updates.

Fortinet Patches High-Severity XSS Flaw in FortiSandbox, Risking Remote Code Execution Fortinet has disclosed a high-severity cross-site scripting (XSS) vulnerability, CVE-2025-52436 (FG-IR-25-093), affecting its FortiSandbox platform. The flaw, classified as an "Improper Neutralization of Input During Web Page Generation" (CWE-79), allows unauthenticated attackers to execute arbitrary commands on vulnerable systems. The reflected XSS vulnerability stems from insufficient input sanitization in the GUI component. Attackers can craft malicious requests via manipulated parameters or the browser’s back button to inject malicious JavaScript. If an admin interacts with the compromised page, the script triggers, enabling remote code execution (RCE). This could lead to data exfiltration, lateral movement, or sandbox evasion in malware analysis environments. ### Affected Versions & Patches The vulnerability impacts FortiSandbox PaaS deployments across multiple versions: - 5.0.0–5.0.1 → Upgrade to 5.0.2+ - 4.4.0–4.4.7 → Upgrade to 4.4.8+ - 4.2 & 4.0 → Migrate to a fixed release Patches were released in FortiSandbox PaaS 4.4.8 and 5.0.5. Fortinet recommends immediate upgrades, along with network segmentation and GUI access restrictions as interim mitigations. The flaw was discovered internally by Jaguar Perlas of Fortinet’s Burnaby Infosec team. While no active exploitation has been reported, the unauthenticated attack vector heightens risk, particularly for organizations handling sensitive malware analysis or threat intelligence. The incident highlights persistent XSS risks in enterprise security tools, even in isolated sandbox environments.

CISA’s Silent Updates to Ransomware-Linked Vulnerabilities Raise Concerns in 2025 In 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) quietly updated its Known Exploited Vulnerabilities (KEV) catalog 59 times to reflect new evidence of ransomware exploitation without notifying defenders. The oversight, highlighted by Glenn Thorpe, senior director of security research at GreyNoise, underscores a critical gap in how organizations track evolving threats. CISA’s KEV catalog is designed to flag high-priority vulnerabilities actively exploited by attackers, helping federal agencies and security teams prioritize patches. One key feature is a field indicating whether a flaw is tied to ransomware operations. However, when this status changes from "Unknown" to "Known" signaling confirmed ransomware use CISA does not issue alerts. Instead, the update appears only as a silent modification in a JSON file, leaving defenders unaware of the heightened risk. Thorpe’s analysis revealed that 16 of the 59 updated vulnerabilities were Microsoft CVEs, with other frequent targets including Ivanti, Fortinet, Palo Alto Networks (PANW), and Zimbra. These vendors’ products often firewalls, VPNs, and email servers are prime targets for ransomware groups due to their widespread deployment and access to high-value networks. Notably, 39% of the vulnerabilities confirmed for ransomware use in 2025 had been listed in the KEV catalog before 2023. The oldest flaw updated last year had been in the catalog for 1,353 days, while the fastest flip occurred within a single day. Authentication bypasses and remote code execution (RCE) flaws were the most common types to see delayed ransomware confirmation. In response to the issue, GreyNoise launched an RSS feed that tracks KEV catalog updates, including ransomware status changes, with hourly refreshes. The tool addresses a long-standing frustration among security professionals, who argue that timely notifications could help organizations adjust their patching priorities and mitigate attacks. CISA has not yet responded to requests for comment.

Europol’s IOCTA 2026 Report: Ransomware, AI, and Hybrid Threats Reshape Cybercrime Landscape Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) 2026 reveals a rapidly evolving cybercrime ecosystem, marked by professionalized ransomware operations, the exploitation of AI, and deepening ties between cybercriminals and hybrid threat actors. The report, covering trends from 2025, highlights a shift in extortion tactics, the rise of ransomware-as-a-service (RaaS), and the growing intersection of cybercrime with broader criminal networks. ### Ransomware Dominates, Tactics Evolve Ransomware remains the EU’s most pervasive cyber threat, with over 120 active brands observed in 2025. Attackers are moving away from traditional data encryption, instead favoring pure data theft and extortion, leveraging psychological pressure tactics such as DDoS attacks, corporate email spamming, and cold-calling victims. The report notes that enterprises are often less prepared for data leaks than encryption, making this shift particularly effective. The RaaS model has lowered the barrier to entry, enabling even low-skilled actors to launch attacks using bundled toolkits. These platforms now offer integrated services, including botnets for payload delivery, data exfiltration infrastructure, machine learning support, and ransom negotiation tools. Operators take a cut of each payment, incentivizing the development of streamlined, all-in-one offerings. Key ransomware groups in 2025 include: - Qilin: A dominant player with ties to the defunct Conti group, offering high affiliate payouts (up to 85%) and automated exploitation of Fortinet SSL VPN vulnerabilities. - Akira: Linked to Conti, expanding attacks to virtualized environments via SonicWall VPN flaws. - DragonForce: A modular, service-driven group using leaked Conti and LockBit code, specializing in tailored extortion for high-value targets. - LockBit: Struggled to recover after its 2024 takedown but released a cross-platform variant with enhanced anti-forensics. - Cl0p & Play: Closed groups operating with strict internal security, targeting critical infrastructure and deploying double extortion. A new alliance between DragonForce, LockBit, and Qilin emerged in late 2025, signaling deeper collaboration in the ransomware ecosystem. Meanwhile, semi-closed and closed groups such as Fog and BlackBasta are adopting tighter control, recruiting only trusted affiliates and developing proprietary tools to evade detection. ### Hybrid Threats and Cybercrime-as-a-Service The IOCTA 2026 report warns of blurring lines between cybercriminals and hybrid threat actors, with state-linked groups increasingly using criminal networks as proxies for disruptive operations. In the cybercrime-as-a-service (CaaS) economy, hybrid actors are simply another customer, complicating attribution and enforcement. A notable development is the Scattered LAPSUS$ Hunters (SLSH) alliance, formed in August 2025 by Scattered Spider, ShinyHunters, and LAPSUS$. These English-speaking groups specialize in SIM swapping, social engineering, insider recruitment, and large-scale data theft, targeting corporations, healthcare, and transport sectors. Their tactics include persistent harassment post-payment, and some members have ties to The Com network, a criminal ecosystem linked to extremism and child exploitation. ### AI, Infostealers, and DDoS as Enablers Cybercriminals are rapidly adopting AI tools to automate attacks, enhance social engineering, and blur the line between legitimate and malicious technology. Infostealers remain a critical enabler, fueling a broad illicit market that supplies ransomware affiliates, fraudsters, and initial access brokers (IABs). DDoS attacks persist as a low-effort, high-impact tool, often used for extortion or ideological disruption. While mitigation measures have improved, the minimal resources required make DDoS a sustainable strategy for destabilization, with targets including governments and critical infrastructure. ### Law Enforcement Challenges and Future Outlook Europol’s Executive Director, Catherine De Bolle, emphasized the urgent need for proactive, collaborative efforts to counter cybercrime’s accelerating pace. The report calls for: - Investment in AI capabilities for law enforcement. - Stronger cross-border cooperation and data retention policies. - Closer private-sector collaboration to access critical data held by online service providers. The IOCTA 2026 report concludes that the cybercrime landscape will continue evolving at speed, driven by advanced tools and complex criminal networks. Law enforcement’s ability to close the "velocity gap" matching the pace of cybercriminal innovation will determine its effectiveness in the coming years.

Ransomware Landscape Shifts in 2025 as Cybercriminals Pivot to Data Extortion Google Threat Intelligence’s 2025 ransomware report reveals a major transformation in cybercriminal tactics, driven by declining profits from traditional encryption-based attacks. With organizations improving their defenses nearly half of victims restored systems from backups in 2024 ransom payment rates hit a historic low by 2025. The average ransom demand also dropped by a third, falling from $2 million in 2024 to $1.34 million. The ransomware ecosystem has faced significant disruptions, including law enforcement crackdowns and internal conflicts that dismantled prominent groups like LockBit, ALPHV, Basta, and RansomHub. These upheavals forced cybercriminals to adopt stricter vetting processes for affiliates. Despite these challenges, the threat landscape remains active, with groups like Qilin and Akira filling the void. Data-leak site posts surged by nearly 50% in 2025, with the REDBIKE ransomware family accounting for 30% of analyzed incidents. Attackers continue to exploit vulnerabilities in firewalls and VPNs, particularly in products from Fortinet, SonicWall, and Palo Alto, which were used in a third of 2025 intrusions. Virtualization infrastructure, such as ESXi hypervisors, has become a prime target, involved in 43% of attacks up from 29% the previous year. Cybercriminals are also adopting cross-platform ransomware and leveraging AI for victim analysis, while decentralized Web3 networks help shield their operations. As profits shrink, the report warns of a potential rise in aggressive extortion tactics in 2026.

Tenable Report Highlights Persistent Cloud Security Risks Despite Improvements A recent report by Tenable reveals both progress and ongoing vulnerabilities in cloud security, particularly around "toxic cloud trilogies"—publicly exposed, critically vulnerable, and highly privileged cloud instances. Between October 2024 and March 2025, the number of organizations with at least one such instance on AWS or Google Cloud Platform (GCP) dropped from 38% to 29%, while those with five or more declined from 27% to 13%. Despite these improvements, Tenable warns that such exposures remain a pressing concern. The report also uncovered widespread exposure of sensitive data in cloud configurations. Researchers found that 54% of AWS Elastic Container Service (ECS) task definitions and 52% of Google CloudRun environment variables contained confidential information. Additionally, over a quarter of AWS users stored sensitive data in user data fields, with 3.5% of AWS EC2 instances holding secrets—posing a significant risk if exploited. AWS hosted the highest proportion of sensitive data (16.7% of its buckets), compared to 6.5% for GCP and 3.2% for Microsoft Azure. While nearly 80% of AWS users have enabled critical identity-checking services, the findings underscore persistent misconfigurations and overconfidence in cloud security measures. The report, released at AWS re:Invent 2024 in Las Vegas, highlights the need for continued vigilance in securing cloud environments.

Fortinet, a global cybersecurity leader, was referenced in a Sapio Research report highlighting systemic vulnerabilities across enterprises adopting AI-driven security tools. The study revealed that 86% of surveyed organizations (including Fortinet’s clients/partners) experienced one or more data breaches in 2024, primarily due to skill gaps in security awareness (56%), lack of IT security training (54%), and insufficient cybersecurity products (50%). While Fortinet itself wasn’t directly breached, the report underscored its ecosystem’s exposure to AI-exploited attacks, where cybercriminals leverage AI to bypass defenses, exacerbating risks like misinformation, surveillance, and privacy violations (47% concern). The breaches—though not detailed—align with broader trends of employee negligence, phishing, or unpatched vulnerabilities, leading to potential leaks of internal/customer data or financial reputational damage. Fortinet’s response emphasizes upskilling (e.g., certifications for 62% of breach-affected firms) and AI integration, but the lack of expert staff (48%) remains a critical gap, amplifying attack surfaces for partners/clients using its platforms.

China-Linked JDY Botnet Expands, Targeting U.S. Critical Infrastructure A resurgent botnet tied to China-backed threat actors has grown into one of the most sophisticated reconnaissance tools in operation. Dubbed JDY, the network now controls over 1,500 compromised small office/home office (SOHO) routers and IoT devices across the U.S., Europe, and Asia, doubling in size since January 2024. Originally part of the KV-botnet operation linked to Volt Typhoon JDY was first detected in late 2023 as a covert scanning network used to gather intelligence on U.S. critical infrastructure. After U.S. authorities dismantled its companion KV cluster, JDY quietly rebuilt, expanding its reach and capabilities. Researchers at Lumen’s Black Lotus Labs found that the botnet now targets devices from manufacturers including Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks. Its operators act with remarkable speed shifting scans to exploit newly disclosed vulnerabilities within hours of public disclosure. A recent example involved CVE-2026-35616, a Fortinet flaw, which JDY began probing almost immediately. The botnet’s primary focus is U.S.-based networks, particularly those tied to military entities. By leveraging ordinary home and small business routers, JDY blends malicious traffic with legitimate activity, evading detection. Infected devices receive scanning tasks via Tor-hidden command-and-control (C2) servers, making attribution difficult. Scans span TCP, UDP, SSL, and ICMP protocols, with results compressed, encrypted, and sent back to a central server. JDY’s malware, designed for MIPS and MIPSEL architectures, uses a lightweight bash dropper to infect devices, download payloads, and erase traces. Some devices are managed via Platypus, an open-source remote shell tool, with a known payload server at 149.248.3[.]38 (port 13339). The botnet’s distributed nature spreading scans across thousands of IPs helps it bypass traditional defenses like blocklists and geofencing. Despite disruption efforts, JDY has proven resilient, adapting and expanding even after partial takedowns. Its rapid response to new vulnerabilities underscores the persistent threat posed by China-linked cyber espionage operations.

CISA Adds Critical Flaws in Adobe, Fortinet, Microsoft Exchange, and Windows to Exploited Vulnerabilities Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include newly identified security flaws in Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows. These vulnerabilities are actively being exploited in the wild, posing significant risks to organizations relying on these platforms. The addition underscores the urgency for affected entities to apply patches or mitigations to prevent potential breaches. While specific details on exploitation methods remain limited, the inclusion in CISA’s catalog signals that threat actors are already leveraging these weaknesses. In related cybersecurity developments: - Iran-linked group Handala claimed responsibility for breaching three major organizations in the United Arab Emirates (UAE), though the targeted entities were not disclosed. - Censys identified 5,219 internet-exposed devices vulnerable to attacks by Iranian advanced persistent threats (APTs), with the majority located in the U.S. - ShinyHunters, a notorious hacking group, alleged a breach of Rockstar Games, beginning to leak stolen data. - A $3.6 million Bitcoin theft occurred via compromised credentials at Bitcoin Depot, highlighting the financial risks of credential-based attacks. - Operation Atlantic, a joint effort by the U.S., UK, and Canada, disrupted a $45 million cryptocurrency theft operation. - Citizen Lab reported that Webloc tracked 500 million devices globally for law enforcement purposes, raising privacy concerns. - Adobe patched an actively exploited flaw (CVE-2026-34621) in Acrobat Reader, while attackers began exploiting Marimo RCE (CVE-2026-39987) within hours of its disclosure. - Booking.com confirmed unauthorized access to user data but stated systems were secured post-incident. - Hackers targeted unpatched ShowDoc servers via CVE-2025-0520, and a fake Claude AI installer was used to deploy PlugX malware through DLL sideloading. - A CPUID watering hole attack distributed STX RAT malware, and attackers claimed control over Venice’s San Marco anti-flood pumps, though operational impact remains unverified. The surge in exploited vulnerabilities and high-profile breaches underscores the escalating threat landscape, with both state-sponsored and criminal actors actively targeting unpatched systems and supply chains.

In July 2025, Fortinet’s FortiClientEMS (versions 7.2.0–7.2.2 and 7.0.1–7.0.10) was exploited by the Qilin ransomware group via CVE-2023-48788, a critical SQL injection vulnerability. The flaw allowed attackers to execute arbitrary SQL commands through crafted HTTP requests, enabling unauthorized data access, encryption, and potential exfiltration. Qilin’s targeted exploitation of this vulnerability contributed to their dominance in the ransomware landscape, with 73 confirmed victims in July alone. Affected organizations—primarily in high-value sectors like government, law enforcement, energy, and telecommunications—faced operational disruptions, financial losses, and reputational damage. The attack vector’s persistence underscores systemic risks tied to unpatched enterprise systems, with Qilin leveraging the vulnerability to maximize both ransomware deployment and data leak extortion. Critical infrastructure entities were disproportionately impacted, amplifying the threat’s severity due to cascading effects on supply chains and public services.

In a significant cybersecurity incident, Fortinet faced a sophisticated cyber attack targeting its internal employee database. The attackers deployed a complex piece of malware that exploited an unknown vulnerability, leading to a massive data leak. Confidential information concerning both current and former employees was compromised, including but not limited to personal identification data, financial details, and security credentials. The breach has raised concerns about the potential for further unauthorized access and the ramifications on personal security for those affected. The company is currently cooperating with cybersecurity experts and law enforcement to mitigate the impact and prevent future occurrences. This event has put a spotlight on the ever-evolving nature of cyber threats and the importance of robust cybersecurity measures.

A threat actor exploited a Fortinet vulnerability and has exfiltrated and leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices. These VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. The list of Fortinet credentials was leaked for free by a threat actor known as 'Orange,' who is the administrator of the newly launched RAMP hacking forum. The exploited Fortinet vulnerability was soon patched, but many VPN credentials were still valid.

Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics The Medusa ransomware operation, tracked by Symantec as Spearwing, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat. Medusa employs double extortion, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site. ### Attack Methods & Tools Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence, alongside the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software using KillAV a tactic previously seen in BlackCat attacks. Other tools in Medusa’s arsenal include: - PDQ Deploy for lateral movement and payload delivery - Navicat for database access - RoboCopy and Rclone for data exfiltration - Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance - Ligolo and Cloudflared for command-and-control (C2) evasion The group also employs living-off-the-land (LotL) techniques, such as PowerShell commands (Base64-encoded to avoid detection) and Mimikatz for credential theft, alongside legitimate remote access tools like ConnectWise and PsExec to move undetected. ### Evasion & Triple Extortion Risks Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential triple extortion scheme. ### CISA Advisory & Historical Context A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to MedusaLocker or the Medusa mobile malware, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations. Recent campaigns have exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Despite the RaaS landscape’s volatility with new groups like Anubis, LCRYX, and Xelera emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.