FortiBleed is a massive ongoing credential harvesting campaign that has compromised over 430000 FortiGate firewalls worldwide using a custom FortigateSniffer tool to silently steal more than 110 million authentication credentials since February 2026.

Have you ever thought the firewall put for protection of your whole network silently listens to every password of yours. This story comes not from any science fiction film. This actually happens with thousands of organizations since February 2026 where their own FortiGate firewalls turned into enemy ears. Security researcher Volodymyr Diachenko saw open directory on unknown IP address 85.11.187.8 on port 9999 he had no idea this discovery would lead to one of world biggest credential harvesting operations.

FortigateSniffer Tool Five Phase Attack Chain Explained

FortiBleed not just one time attack. It sustained industrialized operation where attackers turned enterprise grade FortiGate firewalls into hidden surveillance machines. Every FortiGate firewall sits at very border of network where all authentication traffic passes.

Attackers took advantage of this privileged position by weaponizing FortiOS own native diagnostic command diagnose sniffer packet from which usernames passwords password hashes get extracted directly from live traffic without triggering any perimeter alarm.

Foundation of this entire operation stands on Golang based tool named FortigateSniffer also tracked as fg sniffer. This tool compiled for both Linux Windows its complete interface in Russian language which gives strong clue about its origin.

This tool monitors 24 protocols at same time which include RADIUS NTLM Kerberos LDAP RDP SMB MSSQL FTP Telnet WinRM. When raw SSH terminal output sniffed SNIFTRAN engine converts it into pcapng format then through PCAP Deep Analysis Toolkit version 5.0 cleartext credentials NTLMv2 hashes Kerberos tickets session cookies get extracted.

These attackers prove so clever they included two evasion techniques. One GeoIP based filtering system runs via binary search optimized file. Second business hour scheduling keeps sniffing active only from morning seven to evening six as per Moscow time so no anomaly alert triggers in off hours.

Whole operation gets designed in five separate phases. First phase bases on reconnaissance plus credential sourcing where broad port sweeps happen via tools like Masscan. Shodan based enrichment collects SSL certificate metadata. Custom scripts rank targets by their corporate revenue. This proves attack not random but planned as per economic value.

Second phase covers pairing plus initial access where host credential combinations get generated. Then SSH brute force attacks run on FortiGate admin accounts via sixteen different wordlists. Along with this credential stuffing attacks also run on SSLVPN portals up to twenty five thousand threads.

Third phase starts after valid SSH credentials arrive. Attackers then inject FortigateSniffer. Researchers observed one operation loaded 6127 devices. Out of them ninety percent successfully validated. Finally more than one lakh thirty four thousand working FortiGate SSH credentials got collected.

Fourth phase covers cracking plus lateral movement where collected hashes get cracked via Hashtopolis managed Hashcat GPU cluster. Capacity grows through cloud rental platforms like vast.ai. Everything operates under control of one Telegram bot which dynamically allocates GPUs plus sends live updates of cracking progress.

Then custom scripts perform lateral movement inside Active Directory environments. Fifth plus final phase covers exfiltration where entire DFS shares get recursively extracted via SMB plus stream directly to attacker SSH servers without any local staging. On 15 June 2026 after cracking 172 Kerberos RC4 hashes attackers carried out special DFS backup exfiltration against NATO affiliated defense contractor. This stands as most dangerous example of entire campaign.

Surprising fact remains that in some sections of entire workflow help of AI powered autonomous penetration testing agent also gets utilized. This agent gets viewed as major step forward in adversarial automation.

FortiBleed Detection & Mitigation

SOCRadar researchers track this campaign from February 2026 till now. They found 659 separate harvest cycles inside whole operation which keep running continuously till mid June 2026. Sample analysis confirms 23406 unique domains plus 80553 FortiGate appliances.

Sniffing still appears active on more than 19000 firewalls. Sixty six percent victims possess less than two hundred employees. Range of one hundred fifty one to two hundred employees alone forms 42.3 percent of affected domains. IT services sector gets targeted most which forms 8.4 percent of victims.

This choice serves smart path for attackers to reach downstream customer environments. India leads geographic distribution with 11.4 percent. United States follows with 10.1 percent. Taiwan Mexico Turkey UAE plus Malaysia come after.

From detection viewpoint security teams must first search their logs for unusual or unauthorized use of diagnose sniffer packet command. Anomalous SSH access patterns that match Moscow business hours pattern serve strong behavioral signal. Sudden spike in RADIUS NTLM Kerberos traffic or unusual authentication patterns also need immediate investigation.

Large scale DFS or SMB data transfers that happen without normal business justification plus signs of session hijacking via replayed web cookies require close monitoring.Network defenders must check their telemetry for those specific IOCs.

These include aggregator command and control IP 85.11.187.8 pentest lab host 193.8.187.2 credential validation node 193.8.187.42 plus three sniffer nodes 193.8.187.26 194.113.39.71 77.91.122.13. Along with this add SHA256 hashes of fg sniffer Linux Windows binaries mpbrute2.bin forticheck tools to threat intelligence platforms.

CISA already issues urgent advisory for mitigation. Advisory urges organizations to secure Fortinet devices immediately. First step demands immediate rotation of all FortiGate related VPN plus admin credentials. Enforcing multi factor authentication everywhere stays mandatory.

Teams must avoid exposing management interfaces directly to internet. Network teams need to audit their configurations so access to diagnose commands limits only to essential staff. Regular audit of SSH key usage plus alerting on unusual login patterns form essential part of protection from this attack.

This entire story reminds that device which makes us feel most secure can itself become most dangerous weapon if attacker modifies its own built in capabilities for own benefit. Until organizations monitor their perimeter devices with same seriousness with which they monitor their internal servers this threat will always find its way.