CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/Service
Summary
Hide ▲
Show ▼
CyberStrikeAI was observed on attacker infrastructure supporting a live Fortinet FortiGate attack campaign, showing the platform can be repurposed for offensive automation. The service banner appeared on port 8080 at 212.11.64[.]250, and traffic linked that host to targeted FortiGate devices. The sighting matters because the tool's AI-native orchestration could lower the skill needed to run complex edge-device attacks.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation Wave
H score56
First: 28.05.2026 18:26
Last: 28.05.2026 18:26
Sources 1
About this happening:
**CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
Fortinet security patch release for CVE-2026-44277
Security Patch Release
H score39
First: 12.05.2026 21:23
Last: 12.05.2026 21:23
Sources 1
About this happening:
Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Fortinet security patch release for CVE-2026-44277
Security Patch ReleaseAbout this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...
Timeline
-
03.03.2026 02:06 1 articles · 4mo ago
CyberStrikeAI developer profile mentions CNNVD award
Attribution UpdateThe developer behind CyberStrikeAI, using the alias Ed1s0nZ, mentioned receiving a "CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award" on a GitHub profile.
Show sources
- CyberStrikeAI tool adopted by hackers for AI-powered attacks — www.bleepingcomputer.com — 03.03.2026 02:06
-
03.03.2026 02:06 2 articles · 4mo ago
CyberStrikeAI service banner tied to FortiGate-targeting infrastructure
Detection Ioc UpdateTeam Cymru identified a CyberStrikeAI service banner on port 8080 at 212.11.64[.]250 and saw communications between that host and Fortinet FortiGate devices targeted by the campaign; the infrastructure was last seen running CyberStrikeAI on January 30, 2026.
Show sources
- CyberStrikeAI tool adopted by hackers for AI-powered attacks — www.bleepingcomputer.com — 03.03.2026 02:06
- Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries — thehackernews.com — 03.03.2026 16:29
-
03.03.2026 02:06 1 articles · 4mo ago
Team Cymru discloses CyberStrikeAI use in FortiGate campaign
Initial DisclosureTeam Cymru reported that the same threat actor behind an AI-assisted campaign that breached more than 500 FortiGate devices was observed using CyberStrikeAI on 212.11.64[.]250, with NetFlow showing a CyberStrikeAI service banner and traffic to targeted Fortinet FortiGate devices.
Show sources
- CyberStrikeAI tool adopted by hackers for AI-powered attacks — www.bleepingcomputer.com — 03.03.2026 02:06