FortiBleed credential-harvesting operation expands from FortiGate to broader exposed services

Attackers behind **FortiBleed** are running an active credential-harvesting and brute-force operation against internet-facing access points, starting with **Fortinet FortiGate** and expanding to **Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers**. The activity has been active since at least February 2026, and available material describes the operator as an initial access broker focused on collecting and reusing credentials across reachable authentication services. What began as a FortiGate-centered intrusion set has widened into a broader multi-vendor initial-access push rather than staying limited to one firewall platform. On compromised **FortiGate** devices, the operators use SSH access and a custom Golang tool called **FortigateSniffer** to abuse the **FortiOS diagnose sniffer packet** capability and passively capture authentication traffic. The reported haul includes cleartext credentials, password hashes, Kerberos material, NTLM data, email credentials, database credentials, and large volumes of MySQL and RADIUS authentication data. Available figures place the campaign at more than **430,000 FortiGate firewalls** worldwide, with at least **659 credential-harvesting pipelines** and over **110 million credentials** identified. The operation has also moved beyond credential collection into confirmed downstream compromise, with operators reportedly cracking Kerberos hashes and exfiltrating DFS backup data from a **NATO-aligned defense contractor** on June 15. No **CVE** or patch-led fix is established in the available material, so immediate response centers on hardening exposed authentication services, reviewing **FortiGate** administrative and SSH access, rotating potentially exposed credentials, and hunting for packet-sniffing abuse and credential reuse.