EXPLORE

Article

Helix Extortion Group Debuts in SharePoint Data Theft Attacks

Arete Analysis

A newly identified data-extortion group, Helix, is reportedly conducting targeted campaigns by exploiting identity-based attack techniques to gain access to Microsoft 365 environments and exfiltrate data from SharePoint Online. The group leverages voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to compromise user accounts and establish unauthorized access. 

  • Helix threat actors reportedly initiate intrusions through vishing campaigns, impersonating trusted individuals—often the target's manager—and leveraging caller ID spoofing to enhance credibility. 


  • The actors then attempt to persuade victims to complete device code phishing workflows, enabling unauthorized access to corporate accounts and Microsoft 365 resources. 


  • Following successful authentication, the actors conduct reconnaissance and enumeration of SharePoint environments before identifying and exfiltrating sensitive data for extortion purposes. 


  • Helix's variable dwell times suggest a flexible, target-specific operational approach, enabling the group to adapt its intrusion timeline to victim environments to maximize data theft and extortion opportunities while minimizing the likelihood of detection. Helix's operations also appear to be focused on large-scale data theft and extortion, with an emphasis on automated SharePoint data exfiltration following successful credential or session compromise.

Overlaps with Other Extortion Groups

Researchers assess that Helix likely emerged from or has operational overlap with the ShinyHunters and BlackFile/Redact cybercriminal ecosystems. ShinyHunters historically focuses on compromising websites, developer repositories, and exposed credentials or API keys to gain access to corporate cloud environments, monetizing stolen victim data on the dark web. BlackFile utilizes identity-centric and social engineering–driven methods of intrusion, relying less on traditional malware and instead leveraging credential theft, privilege escalation, rapid data exfiltration, and coercive tactics such as swatting to maximize extortion pressure. In May 2026, BlackFile announced that it would be rebranding as “Redact” (which may have later rebranded again to “Pink”), yet despite the rebrands, threat actors operating within these groups continued to exhibit similar operational models, victimology, and extortion methodologies.  

Analyst Comments

Collectively, the similarities between the groups suggest the possibility of a shared criminal ecosystem, affiliate network, or loosely connected threat cluster rather than entirely independent operations.  The emergence of Helix further reflects the broader trend of extortion groups rebranding or fragmenting while retaining proven attack techniques and operational infrastructure to support their criminal activities. Despite suspicion of these groups’ connectivity, the exact nature of the relationship remains unconfirmed.  As Helix focuses on identity-based attack techniques to gain access to Microsoft 365 environments, Arete recommends that organizations remain vigilant in using MFA, enforcing strong identity security controls, continuously monitoring authentication activity, and enhancing user awareness of social engineering tactics.

Back to Blog Posts

Podcast

Digital Forensics Meets the Courtroom: Insights on Expert Witness and Cyber-Related Litigation

In this episode of Bytes of Insight, host Vinny Sakore and special guest Dr. Bruce Hartley, Managing Director and Co-Founder of Advisory Services at Arete, discuss the evolving role of digital forensics and expert witness work in cybersecurity litigation. Tune in for firsthand insights on how Arete conducts post-breach investigations, what it takes to undergo cross-examination on the stand, and how emerging threats like AI-driven social engineering and third-party breaches are reshaping the advisory landscape.

Article

Helix Extortion Group Debuts in SharePoint Data Theft Attacks

A newly identified data-extortion group, Helix, is reportedly conducting targeted campaigns by exploiting identity-based attack techniques to gain access to Microsoft 365 environments and exfiltrate data from SharePoint Online. The group leverages voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to compromise user accounts and establish unauthorized access. 

  • Helix threat actors reportedly initiate intrusions through vishing campaigns, impersonating trusted individuals—often the target's manager—and leveraging caller ID spoofing to enhance credibility. 


  • The actors then attempt to persuade victims to complete device code phishing workflows, enabling unauthorized access to corporate accounts and Microsoft 365 resources. 


  • Following successful authentication, the actors conduct reconnaissance and enumeration of SharePoint environments before identifying and exfiltrating sensitive data for extortion purposes. 


  • Helix's variable dwell times suggest a flexible, target-specific operational approach, enabling the group to adapt its intrusion timeline to victim environments to maximize data theft and extortion opportunities while minimizing the likelihood of detection. Helix's operations also appear to be focused on large-scale data theft and extortion, with an emphasis on automated SharePoint data exfiltration following successful credential or session compromise.

Overlaps with Other Extortion Groups

Researchers assess that Helix likely emerged from or has operational overlap with the ShinyHunters and BlackFile/Redact cybercriminal ecosystems. ShinyHunters historically focuses on compromising websites, developer repositories, and exposed credentials or API keys to gain access to corporate cloud environments, monetizing stolen victim data on the dark web. BlackFile utilizes identity-centric and social engineering–driven methods of intrusion, relying less on traditional malware and instead leveraging credential theft, privilege escalation, rapid data exfiltration, and coercive tactics such as swatting to maximize extortion pressure. In May 2026, BlackFile announced that it would be rebranding as “Redact” (which may have later rebranded again to “Pink”), yet despite the rebrands, threat actors operating within these groups continued to exhibit similar operational models, victimology, and extortion methodologies.  

Analyst Comments

Collectively, the similarities between the groups suggest the possibility of a shared criminal ecosystem, affiliate network, or loosely connected threat cluster rather than entirely independent operations.  The emergence of Helix further reflects the broader trend of extortion groups rebranding or fragmenting while retaining proven attack techniques and operational infrastructure to support their criminal activities. Despite suspicion of these groups’ connectivity, the exact nature of the relationship remains unconfirmed.  As Helix focuses on identity-based attack techniques to gain access to Microsoft 365 environments, Arete recommends that organizations remain vigilant in using MFA, enforcing strong identity security controls, continuously monitoring authentication activity, and enhancing user awareness of social engineering tactics.

  • Sources

  • Helix, a New Name in the Data Extortion Ecosystem?

  • BlackFile actively extorting data-theft victims in retail and hospitality sector

  • "Pink" Data Extortion Group Hunting With Evasive Phishing Kits

Article

FortiBleed Campaign Linked to INC and Lynx Ransomware Operations

Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations. 

What’s Notable and Unique

  • Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities. 


  • Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group. 


  • The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.

Mitigations

Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.

Analyst Comments

The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.

Sources

  • Is FortiBleed Linked to INC and Lynx Ransomware?   

  • FortiBleed credential-theft campaign linked to Lynx ransomware   

  • FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups   

  • FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups  

Article

Ransomware Trends & Data Insights: June 2026

Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026

Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:

  • In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.

  • In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.

  • Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.  

Sources

  • Arete Internal