Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
Summary
Hide ▲
Show ▼
The Russian-speaking threat actor ran an AI-assisted FortiGate breach campaign from January 11 to February 18, 2026, compromising over 600 FortiGate devices across more than 55 countries. The operation focused on internet-exposed management interfaces and reused credentials without MFA rather than known FortiGate vulnerability exploitation. Once inside, the actor used GenAI tools to automate reconnaissance and build scripts for configuration parsing, credential handling, and target prioritization. The same campaign also targeted Veeam Backup & Replication infrastructure and referenced attempts against CVE-2019-7192, CVE-2023-27532, and CVE-2024-40711.
Related Happenings
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
Campaign
H score33
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
**OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
CampaignAbout this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation Wave
H score56
First: 28.05.2026 18:26
Last: 28.05.2026 18:26
Sources 1
About this happening:
**CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
Fortinet security patch release for CVE-2026-44277
Security Patch Release
H score39
First: 12.05.2026 21:23
Last: 12.05.2026 21:23
Sources 1
About this happening:
Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Fortinet security patch release for CVE-2026-44277
Security Patch ReleaseAbout this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/Service
H score25
First: 12.05.2026 09:55
Last: 12.05.2026 09:55
Sources 1
About this happening:
OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/ServiceAbout this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
Timeline
-
21.02.2026 15:50 3 articles · 4mo ago
Amazon warns of AI-assisted FortiGate breach campaign
Initial DisclosureAmazon warned that a Russian-speaking hacker used multiple generative AI services in a five-week campaign against FortiGate firewalls across 55 countries, targeting internet-exposed management interfaces on ports 443, 8443, 10443, and 4443, abusing weak credentials without MFA, and then using AI-assisted Go and Python tooling to automate reconnaissance and extend access inside breached networks. The same activity also targeted Veeam Backup & Replication servers and referenced attempts to exploit CVE-2019-7192, CVE-2023-27532, and CVE-2024-40711.
Show sources
- Amazon: AI-assisted hacker breached 600 FortiGate firewalls in 5 weeks — www.bleepingcomputer.com — 21.02.2026 15:50
- AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries — thehackernews.com — 21.02.2026 16:49
- Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls — www.infosecurity-magazine.com — 23.02.2026 14:30