Fortinet FortiGate CyberStrikeAI-assisted hacking campaign
Campaign
Summary
Hide ▲
Show ▼
An AI-assisted campaign targeting Fortinet FortiGate firewalls has been tied to CyberStrikeAI infrastructure, suggesting automated tooling is helping scale attacks against exposed edge devices. It had already breached more than 500 devices in five weeks, making the operation a high-volume intrusion effort. Researchers also linked 212.11.64[.]250 to the activity after seeing a CyberStrikeAI service banner on port 8080 and network traffic to targeted Fortinet devices. The infrastructure footprint expanded to 21 unique IP addresses across China, Singapore, Hong Kong, the United States, Japan, and Europe between January 20 and February 26, 2026.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data Leak
H score93
First: 22.06.2026 11:30
Last: 22.06.2026 11:30
Sources 1
About this happening:
The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data LeakAbout this happening: The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
Timeline
-
03.03.2026 02:06 2 articles · 4mo ago
CyberStrikeAI activity on 212.11.64[.]250
Detection Ioc UpdateTeam Cymru's NetFlow analysis linked 212.11.64[.]250 to the Fortinet FortiGate-targeting campaign after identifying a CyberStrikeAI service banner on port 8080 and traffic between that host and FortiGate devices targeted by the same threat actor.
Show sources
- CyberStrikeAI tool adopted by hackers for AI-powered attacks — www.bleepingcomputer.com — 03.03.2026 02:06
- Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries — thehackernews.com — 03.03.2026 16:29
-
03.03.2026 02:06 1 articles · 4mo ago
Team Cymru publicly links CyberStrikeAI to the FortiGate campaign
Initial DisclosureTeam Cymru disclosed that the same threat actor behind the Fortinet FortiGate campaign was observed using CyberStrikeAI infrastructure, including 212.11.64[.]250, and warned that AI-native orchestration engines could accelerate automated targeting of exposed edge devices.
Show sources
- CyberStrikeAI tool adopted by hackers for AI-powered attacks — www.bleepingcomputer.com — 03.03.2026 02:06