AI-generated FortiGate reconnaissance tool analysis with weak parsing and empty stubs
Technical Analysis
Summary
Hide ▲
Show ▼
AWS identified a custom FortiGate reconnaissance tool that showed clear hallmarks of AI-generated code, helping explain how a low-skill actor automated post-compromise discovery and target prioritization. The findings matter because the tool supported scalable internal reconnaissance after VPN access, even though the operator struggled with more complex exploitation. AWS tied the analysis to a Russian-speaking, financially motivated actor using commercial GenAI services throughout the intrusion chain.
Related Happenings
FortiGate exposed management interface exploitation wave
Exploitation Wave
First: 21.02.2026 16:49
Last: 21.02.2026 16:49
Sources 1
About this happening:
**FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...
FortiGate exposed management interface exploitation wave
Exploitation WaveAbout this happening: **FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
How related:
AWS assessed the campaign ran from January 11 to February 18, 2026, and compromised over 600 FortiGate devices across more than 55 countries.
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignHow related: AWS assessed the campaign ran from January 11 to February 18, 2026, and compromised over 600 FortiGate devices across more than 55 countries.
About this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
TeamPCP cloud-native exploitation campaign
Campaign
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...
TeamPCP cloud-native exploitation campaign
CampaignAbout this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...
Latest development: 23.03.2026 10:31
Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.
Publicly exposed training apps as recurring cloud-entry risk across security vendors
Target Trend
First: 21.01.2026 16:00
Last: 21.01.2026 16:00
Sources 1
About this happening:
**Cybersecurity training apps** left exposed on the public Internet are creating a recurring **cloud-entry risk** for **security vendors and enterprise users**. A scan identified...
Publicly exposed training apps as recurring cloud-entry risk across security vendors
Target TrendAbout this happening: **Cybersecurity training apps** left exposed on the public Internet are creating a recurring **cloud-entry risk** for **security vendors and enterprise users**. A scan identified...
VoidLink AI-generated malware development analysis
Technical Analysis
First: 21.01.2026 14:51
Last: 21.01.2026 14:51
Sources 1
About this happening:
**VoidLink** is a **Linux-based C2 framework** with **multi-cloud targeting** and **modular implants** built for **credential theft**, **data exfiltration** and **stealthy persist...
VoidLink AI-generated malware development analysis
Technical AnalysisAbout this happening: **VoidLink** is a **Linux-based C2 framework** with **multi-cloud targeting** and **modular implants** built for **credential theft**, **data exfiltration** and **stealthy persist...
Timeline
-
20.02.2026 02:00 2 articles · 3mo ago
AWS analyzes AI-generated FortiGate reconnaissance tool
Technical Analysis UpdateA Russian-speaking, financially motivated low-skill threat actor used commercial GenAI services to automate a campaign against Fortinet FortiGate firewall appliances, including AI-assisted Python scripts and a custom Go/Python reconnaissance tool with redundant comments, naive JSON parsing, and empty documentation stubs. The actor scanned exposed FortiGate management interfaces, reused credentials to gain access, then used the tool to ingest VPN routing tables, classify internal networks, identify SMB hosts and domain controllers, and integrate Nuclei-based vulnerability scanning. The campaign ran from January 11 to February 18, 2026, compromised over 600 FortiGate devices across more than 55 countries, and no FortiGate vulnerability exploitation was observed.
Show sources
- Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls — www.infosecurity-magazine.com — 23.02.2026 14:30
- Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls — www.infosecurity-magazine.com — 23.02.2026 14:30