Key Takeaways
- A Russian‑speaking initial‑access broker (IAB) is behind a large‑scale credential‑harvesting campaign dubbed FortiBleed, targeting more than 430,000 FortiGate firewalls worldwide since February 2026.
- The operation uses a custom Go‑based tool, FortigateSniffer, to passively capture cleartext credentials and hashes from traffic on compromised devices across 24 protocols.
- Harvested credentials are cracked with Hashmat/Hashtopolis, coordinated via a Telegram bot (HASHBOT), and then reused for lateral movement, Active Directory enumeration, and data exfiltration.
- FortiBleed follows a five‑stage pipeline: reconnaissance, device compromise, sniffer deployment, hash cracking/utilization, and exfiltration/persistence, with geofencing and time‑of‑day restrictions (7 a.m.–6 p.m. Moscow Time).
- By May 31 and June 15 2026 the attackers ran at least 659 credential‑harvesting pipelines, yielding over 110 million credentials, including 14.8 M RADIUS, 924 k NTLM, 130 k Kerberos hashes, and 89 M MySQL tokens.
- The campaign extends beyond FortiGate to Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL‑VPNs, and MS‑SQL servers, indicating a multi‑vendor initial‑access operation.
- Targets are prioritized by economic value; small‑ and medium‑businesses (<200 employees) in the United States and India, especially IT‑services firms, are heavily focused on to enable downstream access to customer environments.
- Evidence suggests the attackers may have planted reusable username/password pairs as backdoors, and a Russian‑speaking account (“SantaAd”) advertised access to thousands of Fortinet devices for $30k–$60k, though a direct link to FortiBleed remains unconfirmed.
Overview of FortiBleed
FortiBleed is a credential‑harvesting operation conducted by a Russian‑speaking initial‑access broker motivated by financial gain. Active since February 2026, the campaign has compromised more than 430,000 FortiGate firewalls worldwide. The threat actors collect credential lists, scan for exposed services, brute‑force accessible systems, and deploy bespoke sniffers on compromised devices to capture authentication traffic. SOCRadar’s report describes the sniffers as extracting both cleartext credentials and password hashes from traffic passing through the infected appliances, which are then cracked, validated, and reused against Active Directory domains and other exposed services.
Tools and Techniques: FortigateSniffer
Central to the operation is a Golang‑based utility named FortigateSniffer. It leverages FortiOS’s built‑in diagnostic command -diagnose sniffer packet to passively monitor network traffic on the compromised firewall. The tool is capable of parsing authentication data from 24 different protocols—including TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS‑SQL, MySQL, PostgreSQL, and RADIUS—allowing the attackers to harvest both cleartext credentials and password hashes without needing to inject malicious code into the device’s operating system. The use of a native diagnostic command helps the sniffer evade many traditional host‑based detection mechanisms.
Credential Harvesting Statistics
Between May 31 and June 15 2026, the attackers executed at least 659 credential‑harvesting pipelines. This effort yielded over 110 million distinct credentials, broken down as follows: approximately 14.8 million RADIUS credentials, 924 000 NTLM hashes, 130 000 Kerberos hashes, and a staggering 89 million MySQL authentication tokens. The sheer volume underscores the efficiency of the mass‑scanning and brute‑forcing approach, as well as the value of the harvested data for downstream attacks such as lateral movement, privilege escalation, and ransomware deployment.
Five‑Stage Attack Pipeline
FortiBleed follows a clearly delineated five‑stage process. First, the actors conduct wide‑scale reconnaissance using tools like Masscan and Shodan to locate internet‑facing FortiGate firewalls, then filter and group the results by country with custom utilities FortiProbe‑fast and GeoSplit. Second, they compromise the devices via a credential checker called “forticheck,” which targets the FortiGate administrative panel and SSL‑VPN portal, supplementing this with SSH credential stuffing and dictionary attacks to obtain administrative access. Third, upon gaining SSH entry, they deploy FortigateSniffer to intercept authentication traffic across the 24 supported protocols. Fourth, the captured password hashes are cracked using Hashmat and Hashtopolis, orchestrated by a Telegram bot dubbed HASHBOT, after which the recovered credentials are used for lateral movement and Active Directory enumeration. Finally, sensitive data from network shares is exfiltrated, and stolen session cookies are employed to maintain persistent, authenticated access to the compromised environment.
**Expansion Beyond FortiGate: A Multi‑Vendor Campaign
While FortiBleed is named for its primary focus on FortiGate firewalls, evidence indicates it is part of a broader, multi‑vendor initial‑access operation. Since February 28 2026, the same actors have employed automated brute‑forcing and mass‑scanning techniques against a range of internet‑facing appliances, including Synology NAS devices, Sophos firewalls, RDWeb portals, Citrix SSL‑VPNs, and MS‑SQL servers. This spray‑and‑pray strategy allows the threat actors to maximize their foothold across diverse environments, increasing the likelihood of finding valuable targets for subsequent exploitation or resale on underground markets.
Operational Mechanics: Geofencing, Time‑Windowing, and Pipeline Cycles
The campaign incorporates several operational safeguards to avoid detection and optimize resource use. A geofencing filter restricts sniffer activity to specific IP ranges, and the malware only runs between 7 a.m. and 6 p.m. Moscow Time, aligning with typical business hours in the actors’ presumed locale. According to Zenox, the operation functions in 300‑minute (five‑hour) cycles, with status updates every minute. During each cycle, a regional target list is loaded and validated using 1,000 simultaneous threads, displaying counters for success, failure, timeout, and warnings. Early cycles showed a successful validation rate near 90 %, indicating a highly effective scanning and credential‑checking process.
Indicators of Persistent Backdoors
Analysis by SpyCloud revealed that certain username and password pairs appeared repeatedly across thousands of distinct IP addresses. This pattern suggests the attackers may have deliberately planted reusable credentials as clandestine backdoors, enabling rapid re‑entry into compromised devices even after initial remediation efforts. Such persistence mechanisms increase the long‑term value of the accessed infrastructure and complicate defender efforts to fully eradicate the threat.
Attribution, Pricing, and Underground Advertising
A Russian‑speaking account identified as “SantaAd” advertised access to thousands of Fortinet devices on a cybercrime forum, initially offering the access for a starting price of $30,000 before raising it to $60,000 within hours. While the timing coincides with the FortiBleed timeline, SOCRadar and SpyCloud note that a direct causal link between this advertisement and the FortiBleed operation has not been definitively established. Nevertheless, the advertisement underscores the monetization pathway that initial‑access brokers often employ: compromising devices at scale and then selling the resulting access to other threat actors for ransomware, data theft, or further intrusion campaigns.
Implications and Recommendations
FortiBleed illustrates the growing sophistication and profitability of credential‑harvesting campaigns that target edge security devices. Organizations should prioritize hardening FortiGate and similar appliances by disabling unnecessary diagnostic commands, enforcing strong, unique passwords, enabling multi‑factor authentication, and restricting SSH and management interfaces to trusted networks. Continuous monitoring for anomalous use of FortiOS sniffer commands, unexpected outbound traffic, and repeated authentication failures can aid early detection. Additionally, employing threat‑intelligence feeds that track IAB activity and credential‑dumping markets can help organizations anticipate and mitigate such large‑scale access‑selling operations before they translate into damaging breaches.