After gaining a foothold in thousands of Fortinet firewalls, the attackers are starting to monetize that access, and are also piling on a Nextcloud zero-day bug.

July 2, 2026

The initial access broker (IAB) operation behind the credential-harvesting FortiBleed campaign is working in concert with ransomware actors, indicating the victims of the massive operation are now facing an even greater threat.

Research published by SOCRadar this week connects FortiBleed actors with two ransomware-as-a-service (RaaS) gangs, Inc Ransom and Lynx. SOCRadar researchers discovered an operator behind the campaign's infrastructure that was actively logged into the ransom negotiation panels for both groups, and "engaging directly with ransom demands."

"Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment," according to the SOCRadar blog post.