FortiBleed: Custom FortigateSniffer Tool Harvests 110 Million Credentials from 430,000 FortiGate Firewalls
A financially motivated threat actor has deployed the custom Golang tool FortigateSniffer across over 430,000 FortiGate firewalls globally, harvesting more than 110 million credentials since February 2026.
A financially motivated threat actor has deployed a custom Golang-based tool called FortigateSniffer across more than 430,000 FortiGate firewalls globally, silently harvesting over 110 million credentials since at least February 2026, including confirmed data exfiltration from a NATO-aligned defense contractor. The campaign, dubbed FortiBleed and investigated by SOCRadar's Threat Research Unit (STRU), represents one of the most extensive credential-harvesting operations targeting network perimeter devices ever documented.
The threat actor, assessed to be an Initial Access Broker (IAB) motivated by financial gain, operated continuously through mid-June 2026, running 659 discrete harvest cycles with infrastructure that remains partially active at the time of writing. Tooling with Cyrillic-alphabet comments suggests a possible Russian origin, with potential links to ransomware groups or state-sponsored actors. CISA has issued an urgent advisory warning organizations to secure their Fortinet devices following reports of a large-scale credential exposure.
The core weapon is FortigateSniffer (also tracked as fg_sniffer), a Golang-based tool compiled for both Linux and Windows. Rather than deploying malware, the tool abuses FortiOS's own built-in diagnostic command diagnose sniffer packet to passively intercept all authentication traffic traversing a compromised firewall across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM. Once sniffed, the raw SSH terminal output is converted into .pcapng format by the SNIFTRAN engine, then processed through a PCAP Deep Analysis Toolkit (v5.0) that extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies. The tool also incorporates two evasion techniques: GeoIP-based filtering and business-hour scheduling, restricting active sniffing to 07:00–18:00 Moscow Time to minimize anomaly alerts during off-hours.
The operation follows a methodical, five-phase lifecycle. Phase 1 — Reconnaissance & Credential Sourcing: Attackers used Masscan for broad port sweeps, Shodan_Recon for passive enrichment via SSL/certificate metadata, and FortiProbe-fast to classify targets into FortiGate/non-FortiGate/dead. Custom scripts ranked targets by corporate revenue before any exploitation began — reflecting deliberate, economic-value-driven targeting rather than indiscriminate opportunism. Phase 2 — Pairing & Initial Access: The tool gen_rotator generated host-credential Cartesian product combo files. These fed into mpbrute2.bin for SSH brute-force attacks against FortiGate admin accounts using 16 product-specific wordlists, and into forticheck (up to 25,000 threads) for SSLVPN portal credential stuffing.
Phase 3 — Sniffer Deployment & Harvesting: With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener. 6,127 devices were loaded in observed deployments, with a 90% SSH validation success rate. By the operation's end, ssh.txt contained 237,330 working FortiGate SSH credentials. Phase 4 — Cracking & Lateral Movement: Harvested hashes were cracked via a Hashtopolis-managed Hashcat GPU cluster augmented by dynamically rented capacity from vast.ai, orchestrated through a dedicated Telegram bot that dynamically allocated one to six GPUs and delivered live cracking telemetry. Lateral movement tools then moved across Active Directory environments. Phase 5 — Exfiltration: backup_dfs.py recursively extracted full DFS shares via SMB and streamed them directly to attacker SSH servers without local staging. On June 15, 2026, following offline cracking of 172 Kerberos RC4 hashes, the actor executed a targeted DFS backup exfiltration against a NATO-aligned defense contractor.
According to SOCRadar's Threat Research Unit, the campaign exposed 23,406 unique domains across 80,553 FortiGate appliances. 66% of victims have fewer than 200 employees, with the 51–200 employee range accounting for 42.3% of all affected domains — organizations large enough to deploy FortiGate but typically lacking dedicated security operations. IT services are the dominant sector (8.4% of victims), a deliberate targeting choice to maximize downstream access into customer environments. India (11.4%) and the United States (10.1%) top the geographic distribution, followed by Taiwan, Mexico, and Turkey. The campaign remains active as of mid-June 2026, with sniffer operations and harvest results directories continuing to be updated. Organizations are urged to audit FortiGate SSH access, rotate all administrative credentials, and monitor for the indicators of compromise published by SOCRadar.