Listen to this Post
Introduction
Cybercrime has evolved far beyond isolated hacking attempts. Modern threat actors now operate with industrial efficiency, building automated ecosystems capable of harvesting millions of credentials across multiple technologies and regions simultaneously. A newly uncovered operation known as FortiBleed demonstrates just how sophisticated these campaigns have become.
Security researchers have revealed a massive credential-harvesting operation believed to be orchestrated by a financially motivated Russian-speaking Initial Access Broker (IAB). Since early 2026, the campaign has allegedly targeted more than 430,000 internet-facing FortiGate firewalls worldwide, collecting authentication data on an unprecedented scale. What makes FortiBleed particularly alarming is not just the volume of compromised systems, but the highly organized infrastructure behind it, including custom malware, credential-cracking pipelines, automated reconnaissance systems, geofencing controls, and large-scale access monetization.
The operation highlights a growing trend in cybercrime where attackers focus less on immediate ransomware deployment and more on harvesting credentials that can later be sold, reused, or leveraged to gain access into larger enterprise networks. Researchers believe the campaign may represent one of the most extensive credential-collection ecosystems observed in recent years.
FortiBleed Campaign Overview
FortiBleed is a large-scale credential theft operation designed to compromise Fortinet FortiGate devices and silently collect authentication information flowing through them. Unlike traditional malware that immediately disrupts operations, this campaign focuses on stealth, persistence, and long-term access generation.
Researchers assess that the threat actor behind FortiBleed operates primarily for financial gain. The harvested credentials can be sold on underground markets, used to compromise corporate environments, or leveraged to expand access deeper into victim infrastructures.
The campaign has reportedly remained active since February 2026 and has expanded far beyond Fortinet products, demonstrating characteristics of a mature access-broker operation.
The Rise of Initial Access Brokers
Initial Access Brokers have become a critical component of the cybercrime ecosystem. Rather than conducting ransomware attacks themselves, these groups specialize in obtaining network access and selling it to other criminal organizations.
FortiBleed appears to fit this model perfectly.
Instead of immediately exploiting victims after compromise, attackers focus on gathering usernames, passwords, hashes, authentication tokens, and session cookies. These assets become valuable commodities that can later be purchased by ransomware gangs, espionage actors, or financially motivated cybercriminals.
The business model is simple yet extremely profitable: compromise thousands of systems, harvest credentials, and monetize access repeatedly.
Custom Tooling Behind the Operation
At the center of the campaign sits a custom Golang-based utility known as FortigateSniffer.
The tool reportedly abuses native diagnostic functionality already present within FortiOS. By leveraging built-in packet capture capabilities, attackers can silently observe network traffic passing through compromised devices without deploying noisy malware that might trigger traditional security alerts.
FortigateSniffer was engineered to monitor authentication traffic across numerous protocols, automatically parsing captured communications and extracting credential information.
Because the activity relies on legitimate system functionality, detection becomes significantly more difficult.
Capturing Credentials at Scale
Once deployed, FortigateSniffer begins monitoring a broad range of enterprise authentication protocols.
These reportedly include:
Kerberos Authentication
Kerberos traffic can reveal valuable authentication data used extensively in Windows Active Directory environments.
LDAP Communications
LDAP traffic provides insight into directory services and enterprise user authentication workflows.
SMB Sessions
SMB traffic can expose credentials used for file sharing and network resource access.
RADIUS Authentication
Organizations frequently use RADIUS for VPN and network authentication, making it a valuable target.
Database Authentication
MySQL, PostgreSQL, and Microsoft SQL Server authentication flows are also monitored, potentially exposing sensitive administrative accounts.
Remote Access Services
Protocols such as RDP, WinRM, FTP, Telnet, SMTP, and TACACS+ reportedly fall within the collection scope.
The ability to monitor twenty-four different authentication protocols significantly expands the attacker’s credential collection capabilities.
More Than Just Fortinet Devices
One of the most significant discoveries is that FortiBleed appears to be part of a much larger multi-vendor operation.
Researchers found evidence suggesting automated attacks against:
Fortinet FortiGate Firewalls
Synology NAS Devices
Sophos Firewalls
RDWeb Portals
Citrix SSL-VPN Systems
Microsoft SQL Servers
This broader targeting strategy indicates that the operation is not focused on exploiting a single vendor weakness. Instead, it seeks any internet-facing infrastructure capable of providing access to enterprise environments.
Such diversification increases profitability while reducing reliance on any individual technology platform.
Massive Credential Harvesting Numbers
The scale of credential collection attributed to FortiBleed is staggering.
Researchers estimate that hundreds of credential-harvesting pipelines were active during late May and mid-June 2026.
The operation reportedly identified over 110 million credentials and authentication artifacts.
Among the collected data were:
14.8 million RADIUS credentials
924,000 NTLM hashes
130,000 Kerberos hashes
89 million MySQL authentication tokens
These figures illustrate the industrial nature of the campaign.
Rather than targeting a handful of organizations, attackers appear to be harvesting credentials at internet scale.
Five Stages of the FortiBleed Attack Chain
Stage One: Global Reconnaissance
The campaign begins with extensive internet scanning.
Attackers reportedly leverage tools such as Masscan and Shodan to identify exposed FortiGate appliances worldwide.
Custom filtering utilities then organize discovered targets by country and region.
Stage Two: Credential Attacks
After identifying targets, attackers launch credential stuffing and brute-force attacks.
Custom software focuses specifically on FortiGate administrative interfaces and SSL-VPN portals.
Successful compromises grant administrative-level access.
Stage Three: Traffic Interception
Once access is established, FortigateSniffer is deployed.
The tool passively captures authentication traffic flowing through the compromised firewall infrastructure.
Credentials, hashes, and authentication artifacts are silently collected.
Stage Four: Hash Cracking Operations
Captured password hashes are transferred into cracking environments.
Researchers observed the use of dedicated cracking frameworks alongside Telegram-based automation systems that coordinate the process.
Successfully cracked credentials are then validated and categorized.
Stage Five: Lateral Movement and Data Theft
Validated credentials are reused against enterprise services.
Attackers move laterally through victim networks, enumerate Active Directory environments, and exfiltrate sensitive data.
Session cookies are reportedly leveraged to maintain persistent authenticated access even after passwords change.
Geofencing and Operational Discipline
Unlike many opportunistic cybercrime campaigns, FortiBleed demonstrates remarkable operational discipline.
Researchers identified geofencing functionality that limits activity to specific geographic regions.
The infrastructure also appears to operate primarily during business hours aligned with Moscow time.
This behavior suggests a structured team environment rather than individual attackers working randomly.
The campaign reportedly runs in five-hour operational cycles with continuous monitoring and validation processes.
Such automation reflects a mature cybercriminal operation capable of managing massive numbers of targets simultaneously.
Suspicious Backdoor Accounts Discovered
Investigators identified another unusual characteristic during analysis.
Certain username and password combinations appeared repeatedly across thousands of unique IP addresses.
This repetition raises concerns that attackers may have intentionally planted backdoor accounts across compromised systems.
If confirmed, these credentials could provide future access even after organizations believe remediation efforts are complete.
Such persistence techniques significantly increase the long-term risk associated with compromise.
Underground Markets and Monetization
The investigation coincides with reports that a Russian-speaking underground actor known as “SantaAd” advertised access to thousands of Fortinet devices.
Initial pricing reportedly began around $30,000 before rapidly increasing to $60,000.
Although no direct connection has been confirmed between SantaAd and FortiBleed, the timing highlights the thriving market for network access.
Compromised enterprise infrastructure remains one of the most valuable commodities within cybercriminal ecosystems.
Access brokers continue to profit from selling entry points rather than conducting attacks themselves.
Why Small and Medium Businesses Are Prime Targets
Researchers observed a strong emphasis on organizations employing fewer than 200 people.
Small and medium-sized businesses often lack dedicated security teams, continuous monitoring capabilities, and mature incident response programs.
Many also serve larger enterprises as vendors, contractors, or managed service providers.
Compromising a smaller company can therefore provide attackers with pathways into larger organizations.
This supply-chain access model dramatically increases the value of SMB-focused campaigns.
Deep Analysis: Understanding the Technical Workflow Through Security Operations
The FortiBleed operation showcases how modern cybercrime increasingly mirrors legitimate enterprise automation.
Security teams can study similar workflows using defensive tools and commands:
Identify listening services
nmap -sV target-ip
Review firewall logs
grep "failed" /var/log/auth.log
Monitor network traffic
tcpdump -i eth0
Inspect authentication attempts
journalctl -u ssh
Detect unusual outbound connections
netstat -antp
Review active sessions
who
Identify privilege escalation attempts
sudo ausearch -m USER_CMD
Monitor network statistics
iftop
Detect brute-force activity
fail2ban-client status
Check SSH login history
last
Analyze firewall events
iptables -L -v
Review process activity
ps aux
Search for suspicious binaries
find / -type f -perm -4000
Audit user accounts
cat /etc/passwd
Review cron persistence
crontab -l
Monitor live logs
tail -f /var/log/syslog
The technical sophistication observed in FortiBleed highlights a major shift in attacker strategy. Rather than exploiting a single vulnerability, operators build complete ecosystems that combine reconnaissance, credential harvesting, password cracking, validation, persistence, and monetization.
The use of native operating system functionality instead of traditional malware demonstrates a growing preference for “living off the land” techniques. Security products often focus on detecting malicious binaries, yet attackers increasingly rely on legitimate administrative features.
Another noteworthy aspect is the
The geofencing functionality indicates intentional target selection rather than indiscriminate scanning. This level of control suggests operational maturity and potentially significant financial resources.
The focus on service providers is particularly concerning. Managed service providers, IT consultants, and hosting companies frequently maintain privileged access to numerous client environments. A single compromise can create cascading effects across entire customer ecosystems.
FortiBleed also highlights the growing importance of credential security. Organizations often prioritize patch management while overlooking password hygiene, MFA deployment, and authentication monitoring.
The collection of authentication tokens, hashes, and session cookies further illustrates how passwords are no longer the sole target. Modern attackers pursue every available authentication artifact.
The reported use of Telegram automation reveals how cybercriminal operations increasingly integrate consumer platforms into their workflows. Communication, coordination, and automation are becoming deeply interconnected.
The scale of over 110 million collected credentials demonstrates that identity has become the primary battleground in cybersecurity. Access itself is now the product being sold.
Organizations defending against similar campaigns must prioritize multi-factor authentication, credential rotation, privileged access management, network segmentation, and continuous monitoring.
Future campaigns will likely become even more automated as artificial intelligence and offensive security tooling continue to mature.
What Undercode Say:
FortiBleed represents a clear evolution in cybercriminal economics.
Instead of launching noisy ransomware attacks immediately, attackers are investing in long-term credential harvesting operations.
The strategy is logical from a financial perspective.
Access can be sold repeatedly.
Credentials can be reused repeatedly.
Compromised organizations may remain vulnerable for months.
The campaign demonstrates how identity has become more valuable than malware.
Attackers no longer need zero-day vulnerabilities when weak credentials remain abundant.
FortiBleed’s automation level is particularly notable.
The use of reconnaissance pipelines, credential validation systems, and automated cracking infrastructure resembles a cloud-based software operation.
This is cybercrime operating at enterprise scale.
The targeting of service providers reflects strategic thinking.
One compromised provider can open access to dozens or hundreds of downstream customers.
This dramatically improves attacker return on investment.
The use of legitimate diagnostic functions creates a major detection challenge.
Traditional antivirus solutions are unlikely to identify activities that leverage built-in operating system capabilities.
Organizations must therefore shift toward behavioral monitoring.
Network visibility becomes critical.
Authentication telemetry becomes critical.
Identity protection becomes critical.
Another interesting observation is the reported geofencing behavior.
Attackers appear conscious of operational security.
Limiting activity to selected regions reduces noise and helps avoid unnecessary attention.
The appearance of repeated credentials across thousands of IP addresses raises serious concerns.
If those accounts were deliberately planted, organizations may face hidden persistence mechanisms even after remediation.
The operation also demonstrates why password-only security models are increasingly obsolete.
Multi-factor authentication remains one of the most effective defenses against credential reuse.
The broader multi-vendor targeting strategy indicates flexibility.
Attackers are not dependent on Fortinet.
They are pursuing access wherever it can be found.
This suggests future campaigns could easily pivot toward additional appliance vendors.
The cybercrime economy increasingly rewards access brokers.
As long as underground demand for network access remains high, campaigns like FortiBleed will continue to grow.
Security leaders should view this operation as a warning.
The next major breach may begin not with malware but with a quietly harvested password.
✅ Multiple security researchers reportedly observed a large credential-harvesting operation targeting FortiGate devices and related infrastructure.
✅ The
✅ The reported credential volumes and operational details originate from threat intelligence investigations, though some attribution and infrastructure connections remain assessments rather than publicly verified facts.
❌ No publicly confirmed evidence currently proves a direct connection between the FortiBleed operation and the underground actor known as “SantaAd.”
❌ Claims regarding intentionally planted backdoor credentials remain investigative findings and should not yet be considered conclusively proven.
❌ Attribution to a specific Russian-speaking group is based on threat intelligence analysis and observed behaviors rather than official law-enforcement confirmation.
Prediction
(+1) Organizations will accelerate deployment of multi-factor authentication across VPNs, firewalls, and administrative portals after exposure of large-scale credential harvesting operations.
(+1) Security vendors will introduce stronger monitoring capabilities for authentication traffic abuse and misuse of built-in diagnostic functions.
(+1) Identity-centric security platforms will receive increased investment as enterprises recognize credentials as the primary attack target.
(-1) Access broker operations will continue expanding because harvested credentials remain highly profitable on underground markets.
(-1) Small and medium businesses will remain disproportionately affected due to limited security resources and weaker authentication controls.
(-1) Future campaigns will likely incorporate more AI-driven automation, allowing attackers to process larger target populations with greater efficiency.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
