Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. FortiBleed: 5-Stage Attack Chain Behind 110 Million Credential Heist on FortiGate Firewalls
FortiBleed: 5-Stage Attack Chain Behind 110 Million Credential Heist on FortiGate Firewalls
NEWS

FortiBleed: 5-Stage Attack Chain Behind 110 Million Credential Heist on FortiGate Firewalls

Deep analysis of the FortiBleed operation reveals a sophisticated five-stage credential harvesting pipeline — custom Golang sniffers, Telegram-based...

Dylan H.

News Desk

June 24, 2026
5 min read

Newly surfaced technical intelligence on the FortiBleed credential-harvesting campaign reveals a far more engineered operation than previously reported. What began as a story about massive scale — 430,000 FortiGate firewalls and 110 million stolen credentials — turns out to involve a purpose-built five-stage attack framework deployed by a Russian-speaking initial access broker (IAB), with custom tooling at every phase.

The Five-Stage FortiBleed Chain

Stage 1: Precision Reconnaissance

The campaign opens with automated scanning infrastructure designed to isolate high-value targets:

  • Masscan and Shodan for internet-wide FortiGate discovery
  • FortiProbe-fast — a custom tool that fingerprints firmware versions and identifies unpatched devices
  • GeoSplit — filters targets by country and ASN to align with buyer demand

Scans operate on 300-minute operational cycles with up to 1,000 simultaneous validation threads, and activity is restricted to 07:00–18:00 Moscow Time — a strong indicator of a disciplined, professionally-run operation.

Stage 2: Initial Compromise

No zero-days. The IAB leverages pure credential force:

  • "forticheck" — a custom credential-stuffing tool targeting FortiGate SSH admin panels
  • Dictionary attacks against default admin accounts
  • Credential stuffing using curated dumps from previous enterprise breaches

The estimated ~90% initial success rate against targeted devices reflects how many organizations still run unprotected admin interfaces or default credentials on perimeter appliances.

Stage 3: In-Memory Credential Capture

The campaign's technical crown jewel: FortigateSniffer, a Golang-based packet capture agent deployed using FortiGate's own native diagnostic CLI commands. Once installed, it monitors 24 authentication protocols simultaneously:

Protocol CategoryProtocols Captured
Windows AuthNTLM, Kerberos, RPC, SMB, LDAP, WinRM
MailSMTP
Remote AccessTelnet, RDP, FTP
DatabaseMS-SQL, MySQL, PostgreSQL
Network AuthRADIUS, TACACS+

This broad protocol coverage means the sniffer doesn't just steal FortiGate credentials — it intercepts all authentication traffic transiting the firewall, yielding credentials for backend systems, domain controllers, databases, and email servers in a single sweep.

Credential Harvest Breakdown

TypeVolume
MySQL authentication tokens89 million
RADIUS credentials14.8 million
NTLM hashes924,000
Kerberos hashes130,000

Stage 4: Automated Hash Cracking

Harvested hashes are piped directly into a Telegram bot called HASHBOT, which orchestrates cracking jobs across a distributed fleet:

  • Hashmat — custom orchestration layer
  • Hashtopolis — distributed hash cracking management
  • Hashcat — GPU-accelerated cracking

Supported hash modes include NetNTLMv2, FortiGate256, RAKP (IPMI), MS-SQL, and Kerberos TGS hashes. The Telegram interface allows the operator to submit jobs and receive cracked plaintext passwords asynchronously, keeping the infrastructure modular and resilient.

Stage 5: Lateral Movement and Monetization

Cracked credentials feed directly into post-exploitation:

  • Impacket — used for Active Directory enumeration, SMB authentication, and data exfiltration
  • Access packaging — validated accesses are graded by organization type (enterprise, government, MSP) and listed on Russian-language criminal markets at $30,000–$60,000 per target

659 credential-harvesting pipelines were observed active at peak operation (May 31 – June 15, 2026).

Scope of Targets

FortiGate is not the only target. The same infrastructure has been directed at:

  • Synology NAS devices
  • Sophos firewalls
  • Citrix SSL-VPN gateways
  • RDWeb portals
  • MS-SQL servers directly exposed to the internet

Why This Matters for Enterprise Defenders

The FortiBleed operation demonstrates that high-volume IAB campaigns have evolved well beyond simple credential stuffing. Purpose-built tools like FortigateSniffer — deployed via legitimate diagnostic APIs — represent a significant detection evasion advantage: no external malware signature, no unusual process, just native diagnostic traffic.

Detection Signals

Look for these indicators in FortiGate and network logs:

# Suspicious FortiGate CLI activity
diag sniffer packet any 'host x.x.x.x' 6   # Diagnostic sniff to external host
diag debug flow filter                       # Unexpected debug sessions
exec log display                             # Bulk log reads

# Network-level indicators
- Outbound SSH to non-managed hosts from FortiGate mgmt interface
- RADIUS/Kerberos traffic captured and forwarded to external IPs
- Auth logs showing 1,000+ parallel login attempts in < 5 minutes

Prioritized Response Actions

PriorityAction
CriticalEnable MFA on SSL-VPN — invalidates stolen plaintext credentials immediately
CriticalPatch FortiOS to latest stable — eliminate known auth bypass vectors
HighRotate all admin and VPN credentials site-wide
HighAudit FortiGate diagnostic command history (diagnose debug logs)
HighReview AD for new accounts created via Impacket (atypical SAM-Account-Name patterns)
MediumGeo-restrict admin panel access to known management IP ranges
MediumMonitor RADIUS/Kerberos traffic for lateral exfiltration patterns

Attribution

The actor — possibly operating under the alias "SantaAd" on Russian criminal forums — shows hallmarks of a mature, well-resourced IAB: Moscow business-hours operations, geofenced targeting aligned with buyer demand, and a modular toolchain that limits exposure if any single component is burned.

No nation-state affiliation has been identified. The operation is assessed as purely financially motivated, with harvested accesses serving as raw material for downstream ransomware deployments by groups including Fog, BlackSuit, and similar affiliates.

Sources

  • The Hacker News — FortiBleed Campaign Full Analysis
  • Fortinet PSIRT Advisory Portal

Related Coverage

  • FortiBleed Campaign Used Custom FortiGate Sniffer to Steal Credentials
  • CISA Warns Fortinet Users to Secure Devices After FortiBleed Leak
  • Ransomware Gang Exploits Cisco Flaw in Zero-Day Attacks
#Fortinet#FortiGate#Russia#Credential Theft#Initial Access Broker#Threat Intelligence#Active Directory

Related Articles

FortiBleed: Russian IAB Harvested 110 Million Credentials from 430,000 FortiGate Firewalls

A financially motivated Russian-speaking initial access broker behind the FortiBleed campaign has been systematically harvesting credentials from over...

5 min read

AI-Armed Amateur Hacker Compromises 600+ FortiGate

Amazon's threat intelligence team has documented how a Russian-speaking, financially motivated actor used multiple commercial generative AI tools to...

4 min read

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

SOCRadar uncovered FortiBleed — a large-scale credential-harvesting campaign targeting 11,250 FortiGate portals across 150+ countries, resulting in 110...

3 min read
Back to all News