A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally.
The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls.
“Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,” SOCRadar said [PDF] in a fresh report. “The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.”
Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials.
It’s suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some “parts of the workflow.” Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with another automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year.
“The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees,” the SOCRadar explained. “The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer environments.”
Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor initial access operation that’s orchestrated to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026.
In all, the attackers are estimated to have launched no less than 659 credential-harvesting pipelines on May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included –
- 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials
- 924,000 NTLM hashes
- 130,000 Kerberos hashes
- 89 million MySQL authentication tokens
The FortiBleed campaign takes place over five stages –
- Perform widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls, followed by using a custom utility dubbed FortiProbe-fast and GeoSplit to filter FortiGate systems and group them by country, respectively.
- Compromise the devices with a credential checker named “forticheck” that specifically targets FortiGate’s administrative panel and SSL-VPN portal, along with using tools to obtain administrative SSH access via credential stuffing and dictionary attacks.
- Upon establishing access via SSH, FortigateSniffer is deployed to passively intercept authentication traffic across 24 protocols (e.g., TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS) using native FortiOS diagnostic commands, making it possible to harvest cleartext credentials and password hashes.
- The password hashes are cracked using Hashmat and Hashtopolis, and orchestrated by a Telegram bot named HASHBOT, after which they are used for lateral movement and Active Directory enumeration.
- Sensitive data from network shares is exfiltrated while stolen session cookies are used to maintain persistent, authenticated access.
“The group does not treat all targets equally,” SOCRadar said. “Instead, targets are ranked according to economic value before exploitation resources are allocated.”
What’s more, the sniffing mechanism includes a geofencing filter that restricts operations to specific IP ranges, not to mention limiting the activity to between 7 a.m. and 6 p.m. Moscow Time. According to data captured by SpyCloud, the FortiGate-related capture cycle is said to have commenced on May 19, 2026, with the hash cracking infrastructure set up towards the end of the month.
“The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute,” Zenox said. “In each cycle it loads a regional target list […] and validates with 1,000 simultaneous threads, displaying counters of success, failure, timeout, and warning. In the first cycles, the successful validation rate hovered near 90%.”
The Brazilian cybersecurity company also said it found certain username and password pairs to be repeated across thousands of distinct IP addresses, raising the possibility that the accounts have been planted by the attacker as a clandestine backdoor entry point.
The development comes as a Russian-speaking account named “SantaAd” has advertised access to thousands of Fortinet devices for a starting price of $30,000, before increasing it to $60,000 hours later. However, it’s unclear if this has any connection to the FortiBleed exposure.
“The threat actor group behind ‘FortiBleed’ was not just targeting FortiGate VPNs,” SpyCloud said. “They were actually targeting a range of different internet-facing appliances with a standard spray-and-pray attack chain that relies mostly on mass scanning and brute-forcing logins.”
