A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as
that has targeted over 430,000 FortiGate firewalls globally.
, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls.
"Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar
[PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services."
Central to the operation is a Golang-based tool called
that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. Appearing in both Windows and Unix versions, the tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials.
It's suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed
to assist with some "parts of the workflow." Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with a
separate automated mass scanning campaign
targeting FortiGate devices that Amazon Threat Intelligence
"The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees," SOCRadar explained. "The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer environments."
Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor initial access operation that's orchestrated to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026.
In all, the attackers are estimated to have launched no less than 659 credential-harvesting pipelines between May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included -
The FortiBleed campaign takes place over five stages -
"The group does not treat all targets equally," SOCRadar said. "Instead, targets are ranked according to economic value before exploitation resources are allocated."
What's more, the sniffing mechanism includes a geofencing filter that restricts operations to specific IP ranges, not to mention limiting the activity to between 7 a.m. and 6 p.m. Moscow Time. According to a
shared by SpyCloud, the FortiGate-related capture cycle is said to have commenced on May 19, 2026, with the hash cracking infrastructure set up towards the end of the month.
"The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute," Zenox
. "In each cycle it loads a regional target list [...] and validates with 1,000 simultaneous threads, displaying counters of success, failure, timeout, and warning. In the first cycles, the successful validation rate hovered near 90%."
The Brazilian cybersecurity company also said it found certain username and password pairs to be repeated across thousands of distinct IP addresses, raising the possibility that the accounts may have been planted by the attacker as a clandestine backdoor entry point.
"The frequency counts were produced by aggregating the username:password column of the actor's own validated-credentials file, all_valid.txt, which is a device-keyed inventory in the format IP:PORT:USERNAME:PASSWORD (one record per firewall, 21,976 records)," Acassio Silva, co-founder and head of threat intelligence at ZenoX, told The Hacker News.
"The same pairs also appear in the actor's input target list EU.txt (the file their Go scanner reloads and re-validates every cycle, also IP:PORT:USER:PASS) and in downstream derivatives (valid_*.txt, matched_targets*, corps.txt, targets_300M_plus.txt, and the loot JSONs). In all_valid.txt, adminin:ITAdmin@888 is present on 3,947 distinct devices; within the EU batch alone (EU.txt, 6,175 records) the same pair appears on 1,562 devices."
The assessment that these pairs could be planted accounts rather than organic credentials stems from three factors: the same credentials being used to validate thousands of unrelated organizations, the absence of passwords from some credential sources ("top200_fortigate.txt"), and the fact that the usernames mimic legitimate Fortinet/FortiCloud services likely in an attempt to blend in with targeted environments.
The development comes as a Russian-speaking account named "
access to thousands of Fortinet devices for a starting price of $30,000, before increasing it to $60,000 hours later. However, it's unclear if this has any connection to the FortiBleed exposure.
"The threat actor group behind 'FortiBleed' was not just targeting FortiGate VPNs," SpyCloud said. "They were actually targeting a range of different internet-facing appliances with a standard spray-and-pray attack chain that relies mostly on mass scanning and brute-forcing logins."
FortiBleed as a campaign using a "credential pipeline that utilizes credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing," adding the "FortiGate access becomes multi-protocol credential extraction, hash cracking, VPN-bound AD/SMB access, and file-share exfiltration."
An important characteristic of the attacks is that they do not exploit any new zero-day vulnerability, with Fortinet noting that the threat actors are likely reusing credentials from previous incidents, as well as brute-forcing passwords on devices with weak passwords and that have not had multi-factor authentication (MFA) enabled.
"Its defining feature is the credential feedback loop: successful perimeter access creates configuration or traffic artifacts; those artifacts produce more credentials and crackable hashes," Arctic Wolf said. "Cracked credentials feed VPN, Kerberos, SMB, and share-access validation, and validated access then supports further collection and exfiltration."
The activity also involves exporting configuration files from internet-facing FortiGate devices and cracking the stored credential hashes, while making use of a custom information-extraction suite called "harvest_orig" that turns passive network captures into "actionable credentials, crackable hashes, web sessions, identity intelligence, and downstream attack inputs."
The Go-based ELF binary, which identifies itself as CyberStrike Harvester v1.5, contains functions for reading pcap, pcapng, and FortiGate text inputs, parser and formatter functions for processing cookies, sessions, and tokens associated with the two dozen protocols.
"The cracking layer is carefully engineered rather than ad-hoc," it added. "A Telegram bot accepts hash input, restricts access by Telegram username, detects hash modes, requests contextual hints, schedules jobs, allocates GPUs, launches multi-stage Hashcat workflows, monitors ETA and progress, and returns cracked results."
"Hashcat modes include NetNTLMv2, FortiGate256, RAKP, MS-SQL, and multiple Kerberos formats. Hashtopolis and a custom HashPanel provide additional distributed cracking management, while setup scripts prepare GPU workers and agent enrollment."
In scenarios where recovered credentials enabled access, the attackers have been found to leverage authenticated SSL-VPN tunnels for Impacket tools for Active Directory enumeration, Kerberos validation, SMB authentication, admin-share checks, SMB share spidering, and DFS/SMB collection.
Affected organizations are recommended to rotate credentials, invalidate sessions, audit configuration exports, review SSL-VPN logins, inspect AD and SMB activity from VPN pools, scan for outbound SSH transfer patterns, and review SMB share access logs for bulk recursive reads.
"FortiBleed demonstrates how exposed perimeter credentials can become full internal-network exposure," the company added. "The most important finding is the engineering discipline around the workflow. The operator lab, sniffer panel, CyberStrike Harvester, cleaning scripts, Hashcat/Hashtopolis infrastructure, Kerberos QA tools, domain/folder/revenue enrichment, and SMB/DFS tools form a repeatable system."
Calling the activity an "indiscriminate internet wide sweep," CloudSEK said the toolchain devised by the threat actors feeds a revenue-sorted catalog of remote access targets likely for sale on underground markets. "The directory also contains at least one live SSL VPN configuration file pointing into a victim network, confirming that the operators held usable, active access, not merely a list of cracked passwords," it
(The story was updated after publication June 24, 2026, with additional insights from Arctic Wolf, CloudSEK, and Zenox.)