
Operators of the Qilin ransomware group—also known under the alias Phantom Mantis—have begun actively exploiting critical vulnerabilities in Fortinet products to breach organizational networks and execute malicious code. This new campaign, underway since May 2025, has already affected infrastructure in Spanish-speaking countries. However, experts observe that the attackers are not geographically bound; they select targets based on vulnerability, not nationality.
Qilin first emerged on the cybercrime landscape in August 2022, initially under the brand Agenda. Since then, the group has embraced the Ransomware-as-a-Service (RaaS) model, publishing the stolen data of its victims on a proprietary dark web portal. As of 2025, the list of compromised entities exceeds 310, encompassing prominent brands and institutions.
Among the victims are the multinational automotive giant Yangfeng, major U.S. publisher Lee Enterprises, the judiciary of Victoria, Australia, and the medical diagnostics provider Synnovis. The latter incident was particularly disruptive, impacting several leading NHS hospitals in London and forcing the cancellation of hundreds of surgeries and patient appointments.
According to Swiss cybersecurity firm PRODAFT, Qilin has launched a fresh wave of attacks, automating parts of their workflow and focusing on the exploitation of Fortinet product flaws—specifically CVE-2024-21762 and CVE-2024-55591. These critical vulnerabilities in FortiOS and FortiProxy enable unauthenticated remote command execution with system-level privileges.
One telling clue: CVE-2024-55591 had already been exploited in zero-day attacks. In November 2024, it served as the entry point for compromising FortiGate firewalls, later facilitating the deployment of the SuperBlack malware linked to the LockBit syndicate—another prominent player in the ransomware ecosystem. This connection was substantiated by researchers at Forescout.
Meanwhile, CVE-2024-21762 was patched by Fortinet in February of this year. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added the vulnerability to its catalog of known exploited flaws, mandating federal agencies to update affected devices by February 16. Nevertheless, one month later, the Shadowserver Foundation reported that approximately 150,000 devices worldwide remained exposed.
Researchers suggest that Qilin’s apparent focus on Spanish-speaking regions may stem from localization advantages or commonly vulnerable configurations within those networks.
Fortinet has, in recent years, become one of the most exploited elements of corporate IT infrastructure. Its products, often deployed as perimeter defenses, are frequent targets of cyberespionage campaigns—particularly those leveraging zero-day vulnerabilities, which pose exceptional risk.
In February, Fortinet publicly acknowledged that the Chinese hacking group Volt Typhoon had exploited two separate vulnerabilities—CVE-2022-42475 and CVE-2023-27997—in FortiOS SSL VPN to deliver their Coathanger remote trojan. This malware was later discovered within the Dutch Ministry of Defence’s network, where it functioned as a stealthy backdoor, enabling persistent unauthorized access.
What makes these vulnerabilities especially dangerous is that they do not merely allow network infiltration; they also enable the complete bypass of authentication mechanisms, granting attackers the ability to impersonate legitimate users. Such conditions are ideal for ransomware deployment, particularly during off-hours or weekends, when SOC oversight is minimal.
Qilin’s recent activities suggest a growing level of sophistication and stronger collaboration with other threat actors. The group leverages well-known zero-day exploits, automates the initial stages of their attacks, and prioritizes rapid deployment of payloads—all indicators of a highly professionalized operation.
Whether the campaign will extend to other countries remains uncertain, but PRODAFT has issued a stark warning: unless these vulnerabilities are swiftly addressed, the scope of attacks may expand dramatically. Organizations are strongly urged to apply the latest patches immediately and scrutinize activity logs for signs of suspicious access attempts—especially those that bypass standard authentication.