A financially motivated Russian speaking initial access broker is believed to be behind a massive credential harvesting operation known as FortiBleed, which has targeted more than 430,000 FortiGate firewalls worldwide and resulted in the collection of over 110 million credentials. According to research published by SOCRadar, the campaign has been active since February 2026 and combines internet wide reconnaissance, credential harvesting, brute force attacks, password cracking, and post compromise surveillance techniques to gain access to enterprise environments. Researchers found that the operation relies on collecting credential databases, identifying exposed services, brute forcing internet facing systems, and deploying custom traffic sniffers on compromised FortiGate devices. Once installed, these sniffers capture both cleartext credentials and password hashes from network traffic flowing through affected firewalls. The harvested information is then cracked, validated, and reused to gain access to Active Directory environments and other exposed services. At the center of the campaign is a custom Golang based utility known as FortigateSniffer, which leverages FortiOS diagnostic commands to passively capture authentication traffic from compromised appliances. Available in both Windows and Unix variants, the tool is capable of monitoring 24 different protocols, parsing authentication data, and extracting usernames, passwords, and hashes from intercepted communications.
Researchers also identified indications that the threat actors may have used an open source AI native offensive security platform known as CyberStrike to support parts of their workflow. SOCRadar noted that the campaign primarily targets small and medium sized businesses with fewer than 200 employees, with particular focus on organizations in the United States and India. The IT services sector emerged as one of the most heavily targeted industries due to its potential to provide access to customer environments through compromised service providers. Further analysis revealed that FortiBleed extends beyond Fortinet products and forms part of a larger multi vendor operation aimed at internet facing infrastructure. In addition to FortiGate firewalls, the attackers have targeted Synology NAS systems, Sophos firewalls, RDWeb portals, Citrix SSL VPN appliances, and Microsoft SQL servers through automated brute force attacks. Between May 31 and June 15, 2026 alone, researchers estimate the attackers launched at least 659 credential harvesting pipelines and collected approximately 14.8 million RADIUS credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and 89 million MySQL authentication tokens.
The operation follows a structured five stage process designed to maximize access and monetization opportunities. The attackers begin by conducting large scale reconnaissance using tools such as Masscan and Shodan to identify internet facing FortiGate devices. Custom utilities known as FortiProbe-fast and GeoSplit are then used to identify Fortinet systems and categorize targets by geographic location. Access is obtained using a credential validation tool called forticheck that targets administrative portals and SSL VPN services through credential stuffing and dictionary based attacks. Once access is established through SSH, FortigateSniffer is deployed to monitor authentication traffic across a wide range of protocols including Kerberos, LDAP, SMB, FTP, RDP, WinRM, MySQL, PostgreSQL, RADIUS, and others. Harvested password hashes are processed using Hashcat and Hashtopolis infrastructure controlled through a Telegram bot called HASHBOT. The recovered credentials are subsequently used for Active Directory enumeration, Kerberos validation, SMB authentication, lateral movement, and data collection from network shares. Researchers also observed the theft of session cookies that allow attackers to maintain persistent access to compromised environments. SOCRadar stated that the group evaluates victims based on economic value before allocating additional resources for exploitation. The sniffing infrastructure includes geofencing controls and operates primarily during business hours aligned with Moscow time zones.
Additional investigations by SpyCloud, Arctic Wolf, CloudSEK, and Brazilian cybersecurity company ZenoX revealed evidence of a highly organized operational framework. ZenoX identified repeated username and password combinations appearing across thousands of distinct devices, raising concerns that some credentials may have been intentionally planted as hidden access mechanisms rather than organically harvested. One credential pair appeared on nearly 4,000 different devices, while researchers noted that usernames were crafted to resemble legitimate Fortinet and FortiCloud services. Arctic Wolf described the campaign as a sophisticated credential pipeline that combines credential stuffing, password spraying, configuration harvesting, offline password cracking, and post authentication data extraction. Researchers also discovered a custom tool named CyberStrike Harvester v1.5 capable of processing network captures, cookies, session tokens, authentication artifacts, and credentials across multiple protocols. CloudSEK characterized the campaign as an indiscriminate internet wide sweep that generates a revenue ranked catalog of compromised remote access targets likely intended for sale on underground marketplaces. Fortinet emphasized that the campaign does not rely on any previously unknown vulnerabilities but instead exploits reused credentials, weak passwords, and systems lacking multi factor authentication. Security experts recommend that affected organizations immediately rotate credentials, invalidate active sessions, review SSL VPN access logs, inspect Active Directory and SMB activity, audit configuration exports, and monitor for unusual file access behavior to reduce the risk of further compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
