FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

Summary

A Russian-speaking initial access broker is behind the FortiBleed operation, targeting over 430,000 FortiGate firewalls globally since February 2026. The campaign harvests credentials using a Golang-based tool called FortigateSniffer, which exploits FortiOS diagnostic commands to capture authentication traffic. The operation has collected over 110 million credentials, including RADIUS, NTLM, Kerberos, and MySQL tokens, and appears to be part of a broader multi-vendor initial access campaign.

Full text

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Ravie LakshmananJun 23, 2026Initial Access Broker / Firewall Security A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said [PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services." Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials. It's suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some "parts of the workflow." Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with another automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year. "The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees," the SOCRadar explained. "The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer environments." Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor initial access operation that's orchestrated to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026. In all, the attackers are estimated to have launched no less than 659 credential-harvesting pipelines on May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included - 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials 924,000 NTLM hashes 130,000 Kerberos hashes 89 million MySQL authentication tokens The FortiBleed campaign takes place over five stages - Perform widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls, followed by using a custom utility dubbed FortiProbe-fast and GeoSplit to filter FortiGate systems and group them by country, respectively. Compromise the devices with a credential checker named "forticheck" that specifically targets FortiGate's administrative panel and SSL-VPN portal, along with using tools to obtain administrative SSH access via credential stuffing and dictionary attacks. Upon establishing access via SSH, FortigateSniffer is deployed to passively intercept authentication traffic across 24 protocols (e.g., TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS) using native FortiOS diagnostic commands, making it possible to harvest cleartext credentials and password hashes. The password hashes are cracked using Hashmat and Hashtopolis, and orchestrated by a Telegram bot named HASHBOT, after which they are used for lateral movement and Active Directory enumeration. Sensitive data from network shares is exfiltrated while stolen session cookies are used to maintain persistent, authenticated access. "The group does not treat all targets equally," SOCRadar said. "Instead, targets are ranked according to economic value before exploitation resources are allocated." What's more, the sniffing mechanism includes a geofencing filter that restricts operations to specific IP ranges, not to mention limiting the activity to between 7 a.m. and 6 p.m. Moscow Time. According to data captured by SpyCloud, the FortiGate-related capture cycle is said to have commenced on May 19, 2026, with the hash cracking infrastructure set up towards the end of the month. "The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute," Zenox said. "In each cycle it loads a regional target list [...] and validates with 1,000 simultaneous threads, displaying counters of success, failure, timeout, and warning. In the first cycles, the successful validation rate hovered near 90%." The Brazilian cybersecurity company also said it found certain username and password pairs to be repeated across thousands of distinct IP addresses, raising the possibility that the accounts have been planted by the attacker as a clandestine backdoor entry point. The development comes as a Russian-speaking account named "SantaAd" has advertised access to thousands of Fortinet devices for a starting price of $30,000, before increasing it to $60,000 hours later. However, it's unclear if this has any connection to the FortiBleed exposure. "The threat actor group behind 'FortiBleed' was not just targeting FortiGate VPNs," SpyCloud said. "They were actually targeting a range of different internet-facing appliances with a standard spray-and-pray attack chain that relies mostly on mass scanning and brute-forcing logins." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Active Directory, Brute force, Credential Theft, Cybercrime, Firewall Security, Fortigate, Fortinet, Initial Access Broker, SMB Security, VPN Security ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — FortigateSniffer
• malware — FortiProbe-fast
• malware — forticheck
• malware — HASHBOT

Entities