A Russian-speaking early access broker (IAB) motivated by financial gain is suspected to be behind a massive credential-harvesting operation called fortibleed It has targeted more than 430,000 FortiGate firewalls globally.
The campaign, active since February 2026, involves collecting credential lists, discovering exposed services, brute-forcing accessible systems, and deploying special investigative tools on compromised firewalls.
“Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,” SOCRadar said. [PDF] In a recent report. “Actors crack, verify, and reuse credentials against Active Directory domains and other exposed services.”
The center of operation is a Golang-based tool called fortigatesniffer Which leverages the FortiOS built-in diagnostic command-diagnose sniffer packets to passively capture authentication traffic from infected devices. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials.
It is suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform called CyberStrike to assist with “certain parts of the workflow.” Interestingly, another open-source framework called CyberStrikeAI was used in connection with another automated mass scanning campaign targeting FortiGate devices that was exposed by Amazon Threat Intelligence earlier this year.
“The campaign focuses heavily on small and medium businesses (SMBs) with fewer than 200 employees,” SOCRadar reported. “The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a major target. This targeting choice likely helps the actor maximize downstream reach, as compromised service providers can create access paths into customer environments.”
Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor early access operation that not only targeted Fortinet devices, but also breached Synology NAS, Sophos Firewall, RDWeb Portal, Citrix SSL-VPN, and MS-SQL Server using automated brute-forcing since February 28, 2026.
Overall, it is estimated that the attackers launched at least 659 credential-harvesting pipelines between May 31 and June 15, 2026, resulting in more than 110 million credentials being identified. This includes –
- 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials
- 924,000 NTLM hashes
- 130,000 Kerberos hashes
- 89 million MySQL authentication tokens
The FortiBleed campaign runs in five phases –
- Perform comprehensive reconnaissance using tools such as MyScan and Shodan to identify vulnerable Internet-facing FortiGate firewalls, then use a custom utility called FortiProbe-Fast and GeoSplit, respectively, to filter FortiGate systems and group them by country.
- Compromise devices with a credential checker named “FortiCheck” that specifically targets FortiGate’s administrative panel and SSL-VPN portal, as well as using tools to gain administrative SSH access via credential stuffing and dictionary attacks.
- When establishing access via SSH, FortigateSniffer is deployed to passively intercept authentication traffic across 24 protocols (for example, TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS) using native FortiOS diagnostic commands, making it possible to harvest cleartext credentials and password hashes.
- Password hashes are cracked using Hashmat and Hashtopolis, and arranged by a Telegram bot called HASHBOT, after which they are used for lateral movement and Active Directory enumeration.
- Sensitive data is scrubbed from network shares, while stolen session cookies are used to maintain persistent, authenticated access.
“The group does not treat all targets equally,” SOCRadar said. “Instead, goals are ranked according to economic value before exploitation resources are allocated.”
Additionally, the sniffing system includes a geofencing filter that limits operations to specific IP ranges, not to mention limiting activity to the hours between 7am and 6pm Moscow time. According to data captured by SpyCloud, the capture cycle related to FortiGate began on May 19, 2026, with the hash cracking infrastructure installed at the end of the month.
“The operation runs in a pipeline of 300-minute (five-hour) cycles, with status changes every minute,” Zenox said. “Each cycle it loads a regional target list […] and performs validation with up to 1,000 simultaneous threads, displaying counters of success, failure, timeouts, and warnings. In the first cycle, the successful verification rate was close to 90%.”
The Brazilian cybersecurity company also said it found that some username and password pairs were being repeated across thousands of different IP addresses, raising the possibility that the account was set up by an attacker as a secret backdoor entry point.
The development comes as a Russian-language account named “SantaAid” advertised access to thousands of Fortinet devices at a starting price of $30,000, which was later increased to $60,000. However, it is unclear whether this is related to FortiBlood exposure.
“The threat group behind ‘FortiBleed’ was not just targeting FortiGate VPN,” SpyCloud said. “They were actually targeting a range of different Internet-facing devices with a standard spray-and-pray attack chain that relies mostly on large-scale scanning and brute-forcing logins.”
