Lynx/INC is a ransomware group referenced in reporting as being attributed by SOCRadar to the FortiBleed campaign, which targeted internet-facing Fortinet VPNs and firewalls. In that reporting, the campaign was described as affecting more than 70,000 devices across 194 countries, with actors using automated tools to harvest credentials at high speed and volume and operating what researchers described as a sophisticated, repeatable credential-harvesting operation. Reported exposed credentials included privileged Fortinet credentials and accounts associated with UK government officials, Foreign Office staff, NHS trusts, energy companies, and local councils. Separate reporting cited Lynx/Inc ransom as the third most active ransomware group in BakerHostetler’s 2025 incident caseload, behind Akira and Qilin and ahead of Clop and RansomHub. The provided content does not state a country attribution or identify additional aliases or sub-groups beyond Lynx/INC and Lynx/Inc ransom.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Attributed as the threat actor behind the ongoing FortiBleed campaign, which targets internet-facing Fortinet VPNs and firewalls and harvests exposed login credentials at scale for sale on the dark web.
Ranked third among the most active ransomware groups discussed in the report.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.