The FortiBleed campaign has revealed a technically sophisticated approach that transforms compromised Fortinet FortiGate firewalls from passive network guards into active credential harvesting platforms. Rather than exfiltrating data and moving on, the attackers deploy a custom Golang-based sniffer tool that abuses a legitimate FortiOS diagnostic command — turning each compromised device into a persistent, self-feeding intelligence collection post.
The FortigateSniffer: A Living Off the Land Approach
At the heart of FortiBleed is FortigateSniffer, a custom Golang binary deployed to compromised FortiGate devices after initial admin access is obtained. The tool abuses FortiOS's legitimate built-in diagnose sniffer packet command — a standard packet capture diagnostic present in all FortiGate devices — to intercept authentication traffic traversing the firewall.
Because the sniffer operates through a built-in OS feature rather than injected kernel code, it is harder to detect through file integrity monitoring and blends into legitimate administrative activity in logs.
The sniffer captures credentials from 24 authentication protocols, including:
| Protocol Category | Protocols |
|---|---|
| Directory Services | RADIUS, NTLM, Kerberos, LDAP |
| Remote Access | RDP, SSH, WinRM, Telnet |
| Database | Microsoft SQL Server, MySQL, PostgreSQL |
| SMTP, IMAP, POP3 | |
| File Transfer | FTP, SMB |
The Full Processing Pipeline
Captured traffic does not sit idle. The campaign operates a multi-stage automated processing chain:
SNIFTRAN reconstructs raw captured data into PCAP files. A Python PCAP Deep Analysis Toolkit then parses those files to extract cleartext credentials, password hashes, Kerberos tickets, and NTLM authentication material. Outputs are automatically formatted for Hashcat and submitted to a 45-GPU cracking infrastructure (including 36 enterprise-class GPUs) for offline hash cracking.
The operation runs 650+ simultaneous credential-harvesting pipelines in parallel.
Why FortiOS Makes This Easier Than It Should Be
A compounding vulnerability in FortiOS amplifies the campaign's effectiveness. When FortiGate devices are upgraded from older firmware versions, administrator passwords remain stored as weak SHA-256 hashes until an administrator manually logs in post-upgrade — the hash migration is not automatic.
Fortinet only introduced stronger PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1. Organizations that upgraded to these versions but whose administrators have not yet logged in remain exposed to rapid offline cracking of the SHA-256 hashes captured by FortigateSniffer.
Self-Sustaining Credential Loop
The campaign architecture is designed to be self-sustaining. Credentials captured by FortigateSniffer from network authentication traffic are fed back into the campaign's initial access scanners, which use them to attempt compromise of additional FortiGate devices — creating a recursive credential harvesting loop that expands the campaign's reach without requiring manual operator intervention.
This design produced 1.16 billion credential attempts against 320,000+ FortiGate targets and more than 2.1 billion brute-force attempts against 160,000+ MSSQL servers during the campaign's documented runtime.
Post-Exploitation: Nation-State Level Tooling
After initial credential harvest, the FortiBleed operators conduct targeted post-exploitation using tools previously associated with sophisticated threat actors:
- Chisel — TCP/UDP tunnel over HTTP for covert lateral movement
- Neo-reGeorg — web shell-based tunneling framework
- Active Directory lateral movement via cracked NTLM hashes and Kerberos tickets
- Persistent access via stolen session cookies
Both Chisel and Neo-reGeorg have appeared in prior Volt Typhoon state-sponsored campaigns, though definitive attribution of FortiBleed to any specific state remains unconfirmed.
June 15, 2026 incident: The campaign successfully cracked Kerberos hashes from a NATO-aligned defense contractor and exfiltrated DFS backup data — the highest-profile confirmed post-exploitation event in the campaign to date.
Indicators of Compromise
| Indicator | Detail |
|---|---|
Unexpected diagnose sniffer packet activity | Legitimate command being abused for persistent sniffing |
| New/unknown admin accounts | Created post-compromise for persistence |
| Disabled audit logging | Common attacker step to reduce forensic visibility |
| Chisel / Neo-reGeorg artifacts | Post-exploitation tunneling tools |
| Unusual outbound traffic patterns | Credential exfiltration to 260+ attacker-controlled servers |
Detection and Response
Huntress noted that many organizations lack visibility into what is happening on their FortiGate devices, not just through them. Recommendations from SOCRadar, Arctic Wolf, and Fortinet's own June 22 advisory:
- Treat any exposed device as fully compromised and rebuild from a known-good state if indicators are found
- Rotate all credentials — admin accounts, SSL VPN users, and any downstream service accounts that authenticate through the compromised device
- Review syslog and event logs for
diagnose sniffer packetinvocations, new admin account creation, authentication failures, and configuration changes - Upgrade FortiOS to 7.2.11, 7.4.8, or 7.6.1 and manually log in as each administrator to trigger the PBKDF2 hash migration
- Disable public management interface exposure — FortiGate management should never be accessible from the internet
The FortiBleed dataset of 86,644 verified credentials began circulating in criminal underground forums as of mid-June 2026. CISA issued a hardening advisory on June 18. Organizations in telecom, government, banking, healthcare, and critical infrastructure sectors are most heavily represented in the leaked data.