THREATSDAY Bulletin revisits FortiGate RaaS activity, led by The Gentlemen, a nascent ransomware-as-a-service (RaaS) operation that allegedly uses CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass, for initial access. According to Group-IB, the group maintains an operational database of approximately 14,700 FortiGate devices exploited globally, with 969 validated brute-forced FortiGate VPN credentials ready for attack and BYOVD-based kernel evasion techniques.
Since its emergence in mid-2025, around 94 organisations have been attacked by the group, which has also reportedly terminated security processes at the kernel level using BYOVD. The bulletin notes mass activity targeting Citrix flaws, with more than 500 exploit attempts observed against Citrix NetScaler CVEs (CVE-2025-5777 and CVE-2023-4966) on 16 March 2026, per Defused Cyber.
Other items include a pre-auth RCE chain in BMC FootPrints, a loader delivering SnappyClient, and live-chat-based phishing campaigns designed to harvest sensitive data. The roundup also covers phishing and credential theft campaigns such as LiveChat abuse, 7-Stage phishing, and broader malware distributions, alongside related AI and cloud-focused threats.