Listen to this Post
FortiBleed Unleashed: How a Silent Firewall Weapon Harvested 110 Million Credentials Across the Globe
Introduction: When Security Devices Become the Attackers
Firewalls are designed to stand between organizations and cybercriminals, acting as the first line of defense against intrusions. But what happens when the very devices trusted to protect critical infrastructure are transformed into espionage tools? A newly uncovered cyber campaign known as FortiBleed demonstrates exactly how devastating that scenario can become.
According to threat intelligence researchers, a financially motivated threat actor has compromised hundreds of thousands of FortiGate firewalls worldwide and converted them into large-scale credential collection platforms. Instead of deploying noisy ransomware or destructive malware, the attackers chose a far more profitable and stealthy approach: silently harvesting credentials from network traffic. The campaign has reportedly collected more than 110 million credentials since February 2026, making it one of the most significant credential theft operations ever documented.
The scale, sophistication, and patience displayed by the operators reveal a cybercriminal ecosystem that increasingly values access and intelligence over immediate disruption. By exploiting trusted infrastructure and leveraging native firewall functionality, the attackers managed to remain hidden while gathering a treasure trove of authentication data from organizations across multiple industries and countries.
FortiBleed Overview: A Credential Harvesting Machine
The FortiBleed campaign revolves around a custom Golang-based tool known as FortigateSniffer (fg_sniffer). Unlike traditional malware families that rely on malicious binaries, rootkits, or ransomware payloads, this tool takes advantage of legitimate FortiOS diagnostic functionality.
The attackers weaponized the built-in diagnose sniffer packet command, effectively turning compromised firewalls into passive surveillance devices. Rather than actively attacking endpoints, FortigateSniffer quietly listens to network traffic flowing through the firewall.
This method allows threat actors to gather authentication information without generating the types of suspicious behaviors commonly detected by endpoint security products.
Turning Network Traffic into Stolen Credentials
FortigateSniffer was engineered to monitor and capture authentication traffic across an extensive list of enterprise protocols.
Among the protocols reportedly targeted are:
NTLM
Kerberos
RADIUS
SMB
RDP
And more than 20 additional authentication mechanisms
Once traffic is captured, a proprietary component called SNIFTRAN converts terminal output into standard PCAPNG packet capture files.
These files are then processed through a dedicated packet analysis framework capable of extracting:
Cleartext credentials
NTLMv2 hashes
Kerberos tickets
Session cookies
Authentication tokens
This workflow transforms ordinary firewall traffic into highly valuable access data that can later be sold, reused, or weaponized during future attacks.
Evidence Suggesting Russian-Speaking Operators
Researchers discovered Cyrillic-language comments embedded within portions of the toolset alongside a Russian-language interface.
While language indicators alone are not sufficient for definitive attribution, they suggest that the operators may originate from a Russian-speaking environment or intentionally mimic one.
Threat intelligence analysts believe the campaign may be linked to:
Initial Access Brokers (IABs)
Financially motivated cybercriminal organizations
Ransomware affiliates
Potential state-aligned cyber ecosystems
The operation demonstrates a level of organization and discipline typically associated with mature threat groups.
Advanced Evasion Techniques Kept the Campaign Hidden
One of the most alarming aspects of FortiBleed is the attention paid to operational security.
The malware incorporates multiple mechanisms designed to reduce the likelihood of detection.
GeoIP Filtering
The tool selectively activates based on geographic criteria, reducing unnecessary exposure and limiting traffic collection to desired regions.
Business-Hour Activity
Rather than running continuously, network sniffing reportedly occurs between 07:00 and 18:00 Moscow Time.
This schedule helps the attackers blend malicious activity into normal enterprise traffic patterns and avoid triggering alerts that often occur during unusual after-hours network behavior.
Selective Victim Targeting
The threat actors did not rely solely on random opportunistic attacks. Internal scripts were allegedly used to evaluate company revenue and determine whether a target justified additional effort.
This demonstrates a business-oriented approach where cybercrime operations are managed similarly to investment portfolios.
The Five-Phase FortiBleed Attack Lifecycle
Phase 1: Reconnaissance
The attackers begin by scanning the internet for exposed FortiGate devices using tools such as:
Masscan
Shodan-based reconnaissance frameworks
FortiProbe-fast classification systems
Targets are categorized and prioritized according to potential financial value.
Phase 2: Initial Access
The group reportedly relies on:
SSH brute-force attacks
Credential stuffing
Massive credential combination databases
These efforts resulted in more than 237,000 functioning administrator credentials.
Phase 3: Deployment
After obtaining access, operators install FortigateSniffer on vulnerable or compromised devices.
The firewall immediately begins collecting authentication-related traffic.
Phase 4: Lateral Movement
Captured hashes and authentication artifacts are sent to cracking infrastructure powered by Hashcat GPU clusters.
Researchers report that a Telegram-based management system assists with coordinating and scaling cracking operations.
Successful credential recovery enables movement throughout enterprise environments, including Active Directory domains.
Phase 5: Data Exfiltration
In the final phase, attackers steal files directly from victim environments.
Instead of storing data locally first, they reportedly transfer Distributed File System (DFS) shares directly to attacker-controlled SSH infrastructure.
This method minimizes forensic traces and accelerates exfiltration.
Why Small and Mid-Sized Businesses Were Hit Hardest
One particularly revealing aspect of the campaign is the victim profile.
Organizations employing between 51 and 200 workers accounted for more than 42% of identified victims.
These businesses often occupy a dangerous middle ground:
Large enough to deploy enterprise-grade security products
Small enough to lack dedicated Security Operations Centers (SOCs)
Frequently dependent on outsourced IT resources
Limited budgets for continuous threat monitoring
Attackers recognize this imbalance and increasingly target such organizations because they offer attractive returns with lower defensive resistance.
Global Impact and Industry Exposure
Researchers identified:
23,406 unique domains affected
80,553 heavily compromised FortiGate appliances
The highest victim concentrations were reportedly observed in:
India
United States
The IT services industry was among the most targeted sectors.
This focus provides attackers with a strategic advantage because compromising a managed service provider or IT consulting company can create pathways into numerous customer networks simultaneously.
The ripple effect dramatically increases the value of each successful compromise.
Indicators of Compromise and Threat Intelligence Artifacts
Several infrastructure indicators were associated with the operation:
Category Indicator
Aggregator / C2 85.11.187[.]8
Pentest Lab Host 193.8.187[.]2
Credential Validation 193.8.187[.]42
Sniffer Node 193.8.187[.]26
Sniffer Node 194.113.39[.]71
Sniffer Node 77.91.122[.]13
Associated file hashes include:
fg_sniffer_linux_amd64
SHA256: 4d0b62d3162d4be391e3ba1e191dad28e5e5d5b161cfdef60eeb4361a92d8413
fg_sniffer_windows_amd64.exe
SHA256: 80d83eb01f28c87a61b51f1f83805e63a791905f019bd3b87f10a10f66efab1e
mpbrute2.bin
SHA256: 2c98c86e6bd6f46cbd6c89d855541b9da91515b1bb986641a77e31c5c6aa2abb
forticheck
SHA256: a8b09fd4f7ff2f298b45ca602992f44b3c2ac3746bcdb182c59ab2a20c690954
All indicators remain intentionally defanged to prevent accidental execution or resolution.
Deep Analysis: Detection, Hunting, and Incident Response Commands
Linux-Based Investigation
sudo netstat -tulpn sudo ss -antp sudo lsof -i sudo tcpdump -i any sudo journalctl -xe sudo grep "sniffer" /var/log/ sudo find / -name "fg" sudo ps aux | grep sniff sudo crontab -l sudo systemctl list-units sudo lastlog sudo who sudo iptables -L sudo nft list ruleset sudo auditctl -l sudo ausearch -k network sudo sha256sum suspicious_file
Windows-Based Investigation
netstat -ano tasklist Get-Process Get-Service
Get-WinEvent -LogName Security
Get-NetTCPConnection Get-ScheduledTask Get-LocalUser Get-FileHash suspicious.exe wevtutil qe Security
Threat Hunting Priorities
Audit all FortiGate administrator accounts.
Search for unauthorized packet capture activity.
Review SSH login history.
Investigate VPN authentication anomalies.
Rotate privileged credentials.
Enable MFA wherever possible.
Monitor unusual SMB and RDP authentication patterns.
Validate firewall firmware integrity.
Compare configurations against approved baselines.
Review outbound SSH communications.
What Undercode Say:
The FortiBleed campaign represents a dangerous evolution in cybercrime strategy.
Rather than encrypting systems and demanding ransom immediately, attackers are focusing on long-term credential collection.
This shift reflects the growing value of access in underground markets.
Compromised credentials often generate greater long-term profits than a single ransomware payment.
The use of legitimate FortiOS functionality is particularly concerning.
Many security teams focus on detecting malware binaries.
Fewer organizations actively monitor administrative packet-sniffing activity.
That creates a blind spot.
The campaign highlights the risk of trusted infrastructure abuse.
Firewalls traditionally occupy a privileged position inside enterprise networks.
Once compromised, they provide visibility into nearly everything.
The attackers demonstrated patience.
Patience is frequently a hallmark of mature threat operations.
Their business-hour scheduling indicates operational discipline.
The revenue-ranking scripts reveal a highly commercialized model.
This was not random hacking.
This was calculated cyber investment.
The attackers appear to understand organizational economics.
Targets were selected according to potential return on investment.
That approach mirrors legitimate business planning.
Credential theft remains one of the most effective cyberattack methods.
Organizations continue to rely heavily on passwords.
Even advanced environments still expose authentication traffic.
The campaign also demonstrates the growing overlap between ransomware groups and access brokers.
Access itself has become a commodity.
One group steals credentials.
Another sells them.
A third launches ransomware.
This specialization increases efficiency.
It also increases attack volume.
The use of GPU-powered cracking clusters indicates industrial-scale operations.
Threat actors now possess computing resources once reserved for large enterprises.
The reported targeting of IT service providers is especially strategic.
Compromising one provider can open access to dozens or hundreds of downstream customers.
Supply-chain style attacks remain among the highest-impact threats.
FortiBleed should serve as a warning.
Security appliances are not automatically secure.
Organizations must treat firewalls as critical endpoints.
Continuous monitoring is no longer optional.
Credential protection must become a board-level priority.
The future battlefield is increasingly centered around identity.
Who controls credentials ultimately controls the network.
✅ The campaign description aligns with modern credential-harvesting tactics that prioritize access theft over immediate disruption.
✅ Abuse of legitimate administrative and diagnostic functionality is a well-documented technique used by advanced threat actors to evade traditional security controls.
✅ Targeting authentication protocols such as NTLM, Kerberos, SMB, and RDP is consistent with real-world enterprise intrusion methodologies because these protocols frequently provide opportunities for privilege escalation and lateral movement.
❌ The reported attribution to Russian-speaking actors remains unconfirmed because language artifacts alone do not constitute definitive evidence of origin or sponsorship.
Prediction
(+1) Identity-focused cyber operations will continue growing through 2027 as stolen credentials become more valuable than ransomware encryption alone. 🔐📈
(+1) Security vendors will likely introduce enhanced monitoring for firewall diagnostic commands and packet-capture activity following increased awareness of campaigns similar to FortiBleed. 🛡️🚀
(+1) More organizations will deploy phishing-resistant authentication technologies such as hardware security keys and passwordless login systems. 🔑
(-1) Mid-sized companies without dedicated security operations teams may remain attractive targets because they often lack continuous monitoring capabilities. ⚠️
(-1) Initial Access Brokers will likely expand their role in the cybercrime economy, creating larger underground marketplaces for stolen enterprise credentials. 📉
(-1) Organizations that continue relying solely on perimeter defenses without identity protection strategies may face significantly higher breach risks in the coming years. 🚨
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
