Find notable cyber news and cases, enriched with sources, timelines, and signals.

CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation

Security Tool/Service
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

CyberStrikeAI was observed on attacker infrastructure supporting a live Fortinet FortiGate attack campaign, showing the platform can be repurposed for offensive automation. The service banner appeared on port 8080 at 212.11.64[.]250, and traffic linked that host to targeted FortiGate devices. The sighting matters because the tool's AI-native orchestration could lower the skill needed to run complex edge-device attacks.

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

FortiClient EMS CVE-2026-35616 exploitation wave

Exploitation Wave
H score56 First: 28.05.2026 18:26 Last: 28.05.2026 18:26 Sources 1

About this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...

Fortinet security patch release for CVE-2026-44277

Security Patch Release
H score39 First: 12.05.2026 21:23 Last: 12.05.2026 21:23 Sources 1

About this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...

Timeline

  1. 03.03.2026 02:06 1 articles · 4mo ago

    CyberStrikeAI developer profile mentions CNNVD award

    Attribution Update

    The developer behind CyberStrikeAI, using the alias Ed1s0nZ, mentioned receiving a "CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award" on a GitHub profile.

    Show sources
  2. 03.03.2026 02:06 2 articles · 4mo ago

    CyberStrikeAI service banner tied to FortiGate-targeting infrastructure

    Detection Ioc Update

    Team Cymru identified a CyberStrikeAI service banner on port 8080 at 212.11.64[.]250 and saw communications between that host and Fortinet FortiGate devices targeted by the campaign; the infrastructure was last seen running CyberStrikeAI on January 30, 2026.

    Show sources
  3. 03.03.2026 02:06 1 articles · 4mo ago

    Team Cymru discloses CyberStrikeAI use in FortiGate campaign

    Initial Disclosure

    Team Cymru reported that the same threat actor behind an AI-assisted campaign that breached more than 500 FortiGate devices was observed using CyberStrikeAI on 212.11.64[.]250, with NetFlow showing a CyberStrikeAI service banner and traffic to targeted Fortinet FortiGate devices.

    Show sources