Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fortinet FortiGate CyberStrikeAI-assisted hacking campaign

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

An AI-assisted campaign targeting Fortinet FortiGate firewalls has been tied to CyberStrikeAI infrastructure, suggesting automated tooling is helping scale attacks against exposed edge devices. It had already breached more than 500 devices in five weeks, making the operation a high-volume intrusion effort. Researchers also linked 212.11.64[.]250 to the activity after seeing a CyberStrikeAI service banner on port 8080 and network traffic to targeted Fortinet devices. The infrastructure footprint expanded to 21 unique IP addresses across China, Singapore, Hong Kong, the United States, Japan, and Europe between January 20 and February 26, 2026.

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

FortiGate firewall and SSL VPN customers data exposed after Fortinet breach

Data Leak
H score93 First: 22.06.2026 11:30 Last: 22.06.2026 11:30 Sources 1

About this happening: The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

Timeline

  1. 03.03.2026 02:06 2 articles · 4mo ago

    CyberStrikeAI activity on 212.11.64[.]250

    Detection Ioc Update

    Team Cymru's NetFlow analysis linked 212.11.64[.]250 to the Fortinet FortiGate-targeting campaign after identifying a CyberStrikeAI service banner on port 8080 and traffic between that host and FortiGate devices targeted by the same threat actor.

    Show sources
  2. 03.03.2026 02:06 1 articles · 4mo ago

    Team Cymru publicly links CyberStrikeAI to the FortiGate campaign

    Initial Disclosure

    Team Cymru disclosed that the same threat actor behind the Fortinet FortiGate campaign was observed using CyberStrikeAI infrastructure, including 212.11.64[.]250, and warned that AI-native orchestration engines could accelerate automated targeting of exposed edge devices.

    Show sources