critical WHITE
FortiBleed — Massive Fortinet Credential Compromise Campaign 2026-06-20 · 9 sources · SantaAd (Russian-speaking IAB)
On June 17, 2026, security researcher Volodymyr "Bob" Diachenko disclosed **FortiBleed** — a massive credential compromise campaign targeting Fortinet FortiGate firewalls and SSL VPN gateways worldwide. The dataset contains valid administrator and SSL VPN credentials for approximately **73,932 unique FortiGate device URLs** spanning **194 countries** and over **21,600 domains**, representing roughly **50% of all internet-facing FortiGate firewalls globally**.
FortiBleed is not a single zero-day vulnerability, but the culmination of a long-running, multi-pronged credential-harvesting operation. A Russian-speaking threat group operating as an Initial Access Broker (IAB) under the alias **"SantaAd"** executed over **1.16 billion credential attempts** against FortiGate devices and **2.1 billion brute-force attempts** against MSSQL systems. The attackers intercepted SSL VPN authentication hashes and cracked them using a distributed **45-GPU cluster** managed via Hashtopolis.
Verified victims include Fortune Global 500 companies, government agencies, defense contractors (including a Turkish NATO contractor from which **105 GB of classified military data** was exfiltrated), critical infrastructure operators, hospitals, universities, and multinational corporations including Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, and Oracle.
fortinet fortigate credential-compromise vpn initial-access-broker +5
critical WHITE
TeamPCP Multi-Stage Supply Chain Campaign — Cross-Source Analysis 2026-03-26 · 1 source · TeamPCP (PCPcat / ShellForce / DeadCatx3)
Between December 2025 and March 2026, TeamPCP (also tracked as PCPcat, ShellForce, DeadCatx3) evolved from opportunistic exploitation of exposed Docker and Kubernetes APIs into a coordinated, multi-stage supply chain operation that compromised five major vendor ecosystems in five days during March 2026.
The campaign's defining characteristic is its cascading nature: a single unrevoked CI credential from Aqua Security's Trivy pipeline enabled TeamPCP to snowball access across GitHub Actions, npm, PyPI, OpenVSX extensions, and multiple high-trust security tools (Trivy, Checkmarx KICS, BerriAI LiteLLM, Telnyx SDK). Over **300 GB of compressed credentials** were exfiltrated from an estimated **500,000+ infected machines** and CI/CD runners.
supply-chain teampcp kubernetes credential-theft ransomware +2
high WHITE
Tycoon 2FA Phishing Kit — Microsoft 365 AitM Reverse Proxy 2026-05-15 · 1 source · Suspected Russian-speaking actor
Tycoon 2FA is a phishing-as-a-service (PaaS) kit targeting Microsoft 365 credentials using an Adversary-in-the-Middle (AitM) reverse proxy technique. The kit bypasses MFA by relaying authentication sessions in real time between the victim and the legitimate Microsoft login page.
Infrastructure is hosted on Cloudflare Workers with a custom AitM proxy written in Node.js. Successful authentications are logged in MongoDB with Telegram bot integration for real-time notifications. Sold for $120-$350/month on cybercrime forums.
phishing aitm mfa-bypass microsoft-365 paas +1