Qilin Ransomware Exploits Fortinet Flaws in Targeted Attack Campaign

Published Date: June 9, 2025
Category: ShadowOpsIntel
Share:

A new wave of Qilin ransomware attacks is exploiting two critical Fortinet vulnerabilities to gain unauthorized access and execute malicious code on vulnerable systems. This Ransomware-as-a-Service (RaaS) operation, also known as Phantom Mantis or Agenda, has significantly broadened its scope and victim base, targeting high-profile organizations globally.

Severity Level: Critical

Threat Details

  • The attacks targeted multiple organizations between May and June 2025.
  • Exploited vulnerabilities in FortiGate such as CVE-2024-21762, CVE-2024-55591, and others to gain initial access.
  • After gaining access actors use remote shell access or web shell deployment to execute arbitrary commands on the compromised device, download second-stage payloads (e.g., loaders, credential dumpers, reconnaissance tools), and deploy Qilin ransomware.
  • According to Prodaft ” The attack is fully automated, with only victim selection done manually.”
  • Campaign scale: Since its emergence in August 2022, Qilin has built a global victim portfolio, impacting over 310 organizations from various industries and regions.
  • Notable Victims: Yanfeng, Lee Enterprises, Synnovis, Court Services Victoria.

Recommendations:

  1. Immediately apply patches for the Fortinet vulnerabilities being exploited (likely recent critical CVEs from 2024–2025).
  2. Isolate management interfaces (e.g., web GUI, SSH, SNMP) from public internet exposure via firewall rules or VPN access.
  3. Backup Strategy: Implement offline or immutable backups. Regularly test restore procedures from backups. Store multiple backup versions in segregated environments (cloud and on-prem).
  4. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/54df12c2c177aa84ba473a3ba5cb34504146a38e257b42ac8d20b0cb9887fa67/iocs

Source:

  • https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-exploited-in-qilin-ransomware-attacks/
  • https://catalyst.prodaft.com/public/report/phantom-mantis-using-fortigate-vulnerabilities-to-deploy-qilin-ransomware/overview

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert