FortiBleed Massive Breach, DragonForce Teams Infiltration, Endgame Cleans SocGholish
Quick Answer
FortiBleed compromised thousands of Fortinet firewalls, DragonForce infiltrated organizations through Microsoft Teams, and Operation Endgame dismantled the SocGholish botnet by cleaning thousands of infected WordPress sites, highlighting major cyber threats in 2026.
Here’s your weekly roundup of the most significant cybersecurity developments from the past seven days. From a massive Fortinet credential crisis affecting organisations across 194 countries to a ransomware group hiding inside Microsoft Teams for two months undetected, the threat landscape continues to grow bolder, faster, and harder to contain.
”FortiBleed” — 86,000 Fortinet Firewalls Compromised in Massive Credential Campaign
One of the biggest cybersecurity stories of the year so far broke this week. A large-scale credential theft campaign, now dubbed FortiBleed, has produced a verified database of over 86,644 confirmed working credentials across 194 countries, all collected from internet-facing Fortinet infrastructure.
Among the organisations represented in the exposed dataset are Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota, along with many government agencies and critical infrastructure operators across telecommunications, healthcare, financial services, and manufacturing.
According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials, pointing directly to a widespread failure to rename default accounts or rotate factory credentials.
CISA has urged all impacted Fortinet customers to immediately terminate all active SSL VPN and administrative sessions, reset all VPN and administrative passwords on internet-facing systems, and enable phishing-resistant multi-factor authentication.
This incident is a stark reminder that even best-in-class network hardware is only as secure as the credentials protecting it. Implementing email authentication protocols such as DMARC, SPF, and DKIM remains critical to preventing phishing attacks that can be used to harvest exactly these kinds of credentials in the first place.
DragonForce Ransomware Hides Inside Microsoft Teams — Undetected for Two Months
In a chilling display of next-generation stealth, the DragonForce ransomware group deployed a custom Go-based remote access trojan called Backdoor.Turn to conceal command-and-control traffic inside Microsoft Teams relay infrastructure, targeting a major U.S. services firm.
Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control server. To defenders monitoring the network, the only visible traffic was outbound connections to legitimate Microsoft Teams servers. The attackers remained on the victim network for between one and two months.
Backdoor.Turn gets installed after the ransomware runs, suggesting the group is either maintaining persistence for a follow-up intrusion or selling access to other attackers.
This is reportedly the first time Teams TURN relay infrastructure has ever been abused in this way in the wild. Organisations relying on cloud collaboration tools must no longer treat traffic to Microsoft as automatically trusted.
Operation Endgame Dismantles Evil Corp’s SocGholish Botnet — 15,000 WordPress Sites Cleaned
In a major win for global law enforcement, international agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group as part of Operation Endgame.
The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp and provided initial access to other ransomware variants including DoppelPaymer, WastedLocker, Hades Ransomware, LockBit, and RansomHub.
The Shadowserver Foundation documented more than 1.44 million instances of compromised legitimate WordPress sites available for SocGholish’s use between May 2023 and May 2026, spread across more than 1.1 million domains across 187 countries or territories.
Dutch police removed the malware and backdoors from the infected sites and advised all website owners to change their credentials, enable multi-factor authentication, delete any unknown WordPress accounts, and keep their WordPress installations up to date.
Novo Nordisk Hit by Two Simultaneous Hacker Groups Demanding $75 Million in Total
Danish pharmaceutical giant Novo Nordisk was separately hacked by the cyberextortion group FulcrumSec and a lesser-known hacking ring known as TheUSERS007, with FulcrumSec attempting to negotiate a ransom payment of $25 million and TheUSERS007 demanding $50 million. Novo did not comply with payment to either group.
Hackers claim to have stolen 1.3 terabytes of Novo Nordisk’s data and intellectual property, including proprietary AI models used for drug development. FulcrumSec has begun leaking what it claims are samples, including login screenshots for Novo Nordisk IT systems, clinical trial information, and details related to the company’s AI models.
FulcrumSec said it accessed Novo Nordisk’s systems in March through a GitHub access token that allowed it to gain access to additional credentials, and continued inside the organisation’s environment for months.
The breach raises an alarming new concern: cybercriminals are increasingly targeting pharmaceutical AI models and drug-development intellectual property as highly valuable assets, far beyond traditional patient data theft.
North Korean Hackers Deploy New “NarwhalRAT” Malware via Fake Microsoft Alerts
The North Korean state-sponsored hacking group known as ScarCruft (aka APT37) has been observed using spear-phishing messages impersonating Microsoft Account security notifications to deliver a new malware called NarwhalRAT. The attack email was designed to create concern over possible unauthorised account activity, mimicking genuine Microsoft security alerts.
This is a classic social engineering tactic taken to new levels — North Korean threat actors are now mimicking trusted enterprise communications from major technology companies to plant sophisticated surveillance malware. Employees should be trained never to click links in security alert emails and to verify any account alerts directly through their organisation’s IT portal. Proper DMARC deployment on corporate domains can prevent domain spoofing used in these exact types of campaigns.
Klue Data Breach Hits Salesforce Customers — Including Cybersecurity Firm Huntress
Marketing intelligence platform Klue confirmed an attacker breached its infrastructure using a compromised legacy credential to obtain OAuth access tokens for integrated services, stealing data directly from Klue customers’ Salesforce and Gong instances.
Salesforce disabled the Klue Battlecards app integration within its platform in response to the incident, meaning organisations will be unable to connect to Salesforce via the app until further notice. The extortion group dubbed Icarus compromised and exfiltrated data from customers of Klue, including cybersecurity company Huntress.
This supply chain-style breach is a reminder that third-party application integrations present a serious and often underestimated risk to enterprise platforms. A single compromised legacy credential opened the door to customer data across multiple downstream organisations.
Apple A12/A13 Chip Flaw Discovered — Unfixable via Software Update
Security researchers at Paradigm Shift published a working exploit called “usbliter8” that achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips. Because the code is burned into the silicon at manufacture, no software update can ever reach it. Affected devices will carry this flaw for as long as they remain in use.
The vulnerability is considered critical and unfixable, allowing hackers to take over iPhone XS, XR, iPhone 11, and older iPad devices.
The attack requires physical possession of the device in DFU mode, so this is not a remote threat. However, the permanent, unpatchable nature of the flaw is deeply concerning for organisations operating older Apple hardware — particularly in high-security environments. Users of affected devices should consider upgrading.
FIFA World Cup Streaming Platform Exposed to Remote Takeover via Critical Bug
A critical bug was discovered in the FIFA World Cup streaming platform that exposes live World Cup streams to remote takeover. Researchers revealed the flaw could allow attackers to hijack live broadcasts affecting millions of viewers worldwide during one of sport’s biggest events.
With the 2026 FIFA World Cup currently underway, this vulnerability represents a high-profile, high-impact target for both financially motivated cybercriminals and politically motivated threat actors. The discovery underscores how major live events continue to attract threat actors looking for both disruption and publicity. FIFA has been notified.
Gravity SMTP WordPress Plugin Vulnerability Actively Exploited — 100,000 Sites at Risk
Threat actors are exploiting a recently patched security flaw in Gravity SMTP, a WordPress plugin installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020, is a medium-severity information disclosure flaw that allows unauthenticated attackers to extract sensitive data including configuration data, API keys, secrets, and OAuth tokens configured for the plugin’s email integrations.
The flaw stems from a REST API endpoint that unconditionally allows any unauthenticated visitor to access it — a basic but critical development oversight. WordPress site administrators running Gravity SMTP should update immediately and audit their API keys and OAuth tokens for any signs of unauthorised access.
INC Ransomware Emerges as a Top Ransomware Threat in 2026 — 830+ Victims Since 2023
Cybersecurity researchers have charted the evolution of INC from an emerging ransomware-as-a-service operation to one of the most prolific cybercrime groups in 2026, claiming no fewer than 830 victims since August 2023. The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations.
The ransomware landscape overall is shifting, with threat actors increasingly abandoning traditional encryption-based attacks in favour of data theft and extortion-only operations. This reduces operational complexity for attackers while maintaining pressure on victims through the threat of data exposure.
The rise of INC as a dominant player is a direct consequence of law enforcement action against older groups — a game of whack-a-mole that shows no sign of ending. Organisations must ensure robust backup strategies and email security controls are in place.
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth
Cybersecurity researchers flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. The Windows variants, internally marked as WIN_DRV and WIN_PLUS, both come with hard-coded command-and-control configurations and support communication over TCP and UDP.
The expansion of this backdoor beyond Linux is significant, as it dramatically broadens the potential attack surface for the China-linked threat actors deploying it. The use of driver-based stealth techniques mirrors the growing trend of nation-state actors borrowing sophisticated evasion methods from financially motivated cybercrime groups — and vice versa.
Ransomware Revenue Jumped 40% in Q1 2026 — “The Gentlemen” Rises as New Top Threat Group
In the first quarter of 2026, ransomware groups increased their revenue by almost 40% compared to the same period last year, according to a new report from cybersecurity researchers Rapid7, who said the increase is partly due to a maturing cybercriminal industry.
The group known as The Gentlemen, which appeared in August 2025, expanded rapidly from 35 victims in Q4 2025 to 182 in Q1 2026, making it the second most active ransomware group. In contrast, established groups such as Qilin and Akira saw their activity decline by 25% and 22%, respectively.
The emergence of The Gentlemen as a top-tier ransomware operation in just a matter of months is alarming and illustrates how quickly new criminal enterprises can scale in today’s cybercrime-as-a-service economy. Their GentleKiller EDR-termination framework is making security tools easier to bypass than ever.
Dashlane Password Manager Hacked — Encrypted Vaults Stolen
Password manager Dashlane confirmed that hackers obtained at least a dozen encrypted vaults used for storing customer passwords during a weekend cyberattack. The company said hackers brute-forced the company’s two-factor authentication system, granting them access to about 20 customer accounts, and were able to download a copy of the encrypted vaults by defeating the two-factor mechanism. Cybersecurity-review
This incident will shake confidence in password managers — the very tools designed to be a last line of defence. While the vaults remain encrypted, the breach highlights that no tool is immune to targeted attacks. Users of Dashlane should change their master password immediately and monitor for any suspicious account activity.

Cisco Releases Emergency Patches for Actively Exploited SD-WAN Manager Flaw
Cisco released security updates for a medium-severity security flaw in Catalyst SD-WAN Manager that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-20262, carries a CVSS score of 6.5 and could allow an authenticated, remote attacker to create unauthorised files or otherwise compromise affected systems.
CISA has given federal agencies just three days to patch CVE-2026-20253, which can be exploited for unauthenticated remote code execution on these servers, which are regularly targeted by China-linked threat group UNC6508 for initial access and backdoor deployment.
Cisco SD-WAN devices are widely deployed across enterprise and government networks. Active exploitation of these flaws means organisations should treat patching as a critical priority, not a scheduled maintenance item.
Microsoft GitHub Compromise — Password-Stealing Malware Injected Into Open Source Projects
Microsoft cut off access to dozens of its open source projects hosted on GitHub as it investigated how hackers apparently breached the projects and injected password-stealing malware into the code. Many of the affected projects relate to Microsoft’s cloud service Azure and other tools used by developers to code with AI development applications.
A supply chain attack targeting Microsoft’s own open source GitHub repositories is a significant event. Developers who pulled down affected packages during the compromise window should audit their environments immediately. This incident reinforces why software supply chain security must now be treated as a first-class cybersecurity concern for every development team.
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.