A newly released intelligence report has shed deeper light on FortiBleed, a large-scale cyber campaign responsible for harvesting massive volumes of credentials and enabling widespread system breaches. According to the findings, the operation has targeted more than 430,000 FortiGate devices and captured over 110 million credentials, making it one of the most significant credential-theft campaigns observed in 2026.
The report, produced by SOCRadar’s Threat Research Unit (STRU) the team that originally identified and named FortiBleed provides the most comprehensive analysis to date. Titled Dismantling FortiBleed, the research moves beyond headline figures and delivers a detailed breakdown of the attackers’ infrastructure, methodologies, and operational scale.
Overview of the Campaign
FortiBleed is described as a financially motivated, globally distributed attack campaign focused on FortiGate firewalls. The scale of activity is notable, with hundreds of thousands of devices targeted and hundreds of credential-harvesting pipelines identified. At least one confirmed compromise of a defense contractor linked to NATO further highlights the campaign’s severity and potential impact.
Unlike previous reports that focused primarily on statistics, STRU’s analysis reconstructs the entire operation end-to-end. Beginning with a single exposed directory discovered by a security researcher, investigators were able to trace the campaign across more than 150 servers, ultimately mapping a significant portion of the threat actor’s infrastructure. Even at the time of analysis, the operation remained active, with thousands of devices still being monitored or targeted.
Reconstructed Attack Lifecycle
The report outlines a clearly defined, multi-stage attack chain:
-
Target Discovery and Prioritization
The attackers initiate operations with large-scale reconnaissance, using tools such as Masscan to identify open ports and custom-built utilities to filter potential FortiGate devices. Targets are further enriched with intelligence data and ranked based on financial value or organizational size, indicating a strategic, profit-driven approach. -
Initial Access Techniques
Access is gained through a combination of brute-force attacks against SSH interfaces and credential stuffing against SSL VPN portals. The actors utilize specifically tailored password lists designed for FortiGate administrative accounts, improving their success rate. -
Credential Harvesting Operations
At the core of the campaign is a custom-built tool that leverages legitimate FortiOS diagnostic functionality to passively capture authentication traffic. By monitoring multiple protocols including Kerberos, NTLM, LDAP, and RDP the attackers can collect credentials without deploying traditional malware, significantly reducing detection risk. Notably, the collection process is restricted to typical business hours in a specific timezone, suggesting deliberate efforts to blend with normal network activity. -
Credential Processing and Cracking
Captured authentication data is processed using a distributed infrastructure powered by GPU clusters. The operation combines open-source tools such as Hashcat with management platforms like Hashtopolis, while also leveraging rented cloud GPU resources to accelerate password cracking. Real-time monitoring is integrated via remote communication channels. -
Lateral Movement and Data Exfiltration
Once credentials are recovered, attackers move laterally within targeted environments, particularly across Active Directory networks. In confirmed cases, this has led to the extraction of sensitive enterprise data, including backup files from critical systems.
Infrastructure and Attribution
The campaign relies on geographically dispersed hosting infrastructure, primarily located in loosely regulated regions. Different segments of the infrastructure serve specialized roles, including command-and-control coordination, credential validation, and traffic interception.
Operational evidence suggests the use of advanced tooling and a collaborative environment, enabling multiple operators to work simultaneously. Linguistic indicators within the tools point toward a Russian-speaking origin, and the attack model aligns closely with that of Initial Access Brokers (IABs) groups that specialize in selling network access to other cybercriminal organizations, including ransomware operators.
Target Profile and Impact
The majority of affected organizations fall within the small and medium-sized business (SMB) category, with most victims reporting fewer than 200 employees and moderate annual revenues. Geographically, the campaign spans multiple regions, including North America, Asia, Europe, and the Middle East, indicating an opportunistic rather than region-specific targeting approach.
Industries such as IT services have been disproportionately affected, likely due to the potential for cascading access into downstream client environments. This strategic targeting increases the overall impact of each successful compromise.
Recommended Actions
Given the ongoing nature of the campaign, immediate defensive measures are critical. Organizations are strongly advised to:
- Reset all credentials associated with Fortinet VPNs and administrative interfaces
- Enforce multi-factor authentication across all access points
- Restrict or eliminate direct internet exposure of management interfaces
- Conduct thorough log analysis to identify suspicious authentication activity
- Apply the latest firmware updates and security patches
Additionally, organizations should assess whether they are potentially affected using available exposure-checking tools provided by security researchers.
Final Assessment
FortiBleed represents a highly sophisticated and large-scale credential harvesting operation, combining stealthy data collection, advanced infrastructure, and strategic targeting. Its continued activity underscores the importance of proactive security practices, particularly in managing network appliances that serve as critical entry points into enterprise environments.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
