A financially driven cybercriminal group has utilized a specialized Golang-based tool, known as FortigateSniffer, to target over 430,000 FortiGate firewalls worldwide. This campaign has covertly collected more than 110 million credentials since February 2026, including data breaches involving a defense contractor linked to NATO.
Massive Credential Harvesting Campaign Unveiled
Dubbed FortiBleed, this operation has been dissected by SOCRadar’s Threat Research Unit (STRU), revealing one of the largest credential-harvesting efforts focused on network perimeter devices to date. The actors behind this scheme, identified as an Initial Access Broker (IAB) with financial motives, were active through mid-June 2026. They conducted 659 separate harvesting cycles, with some of their infrastructure still operational. Comments in Cyrillic suggest a potential Russian origin, with possible ties to ransomware or state-sponsored entities.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory for organizations to secure their Fortinet devices in light of widespread credential exposure.
FortigateSniffer: The Tool’s Technical Overview
The primary instrument of this attack, FortigateSniffer (also known as fg_sniffer), is a Golang-based tool designed for Linux and Windows systems. Its interface is entirely in Russian, indicating its origins. Unlike traditional malware, this tool exploits FortiOS’s built-in diagnostic command, diagnose sniffer packet, to intercept authentication traffic across 24 protocols, including RADIUS, NTLM, Kerberos, and LDAP.
The intercepted data is transformed into .pcapng format by the SNIFTRAN engine and then analyzed using a PCAP Deep Analysis Toolkit to extract cleartext credentials, NTLMv2 hashes, and session cookies. The tool features evasion techniques such as GeoIP-based filtering and business-hour scheduling to avoid detection.
Phases of the Cyber Attack
The operation followed a structured five-phase lifecycle. Initially, attackers performed reconnaissance using tools like Masscan and Shodan_Recon to identify potential targets, classifying them based on corporate revenue. In the second phase, they gained initial access by generating host-credential combinations for brute-force attacks on FortiGate admin accounts.
The third phase involved deploying the FortigateSniffer tool on compromised devices to harvest credentials. The attackers achieved a 90% success rate in SSH validation across 6,127 devices. The fourth phase focused on cracking harvested hashes and moving laterally within networks using specialized tools.
Finally, the exfiltration phase involved extracting DFS shares from targeted networks without leaving traces. On June 15, 2026, a significant data exfiltration occurred against a NATO-affiliated contractor.
Impact and Global Reach
According to SOCRadar, this campaign exposed 23,406 unique domains across 80,553 FortiGate appliances. Smaller organizations, particularly those with 51 to 200 employees, were predominantly affected, making up 42.3% of the impacted domains. The IT services sector was notably targeted to leverage access into customer environments. Geographically, India and the United States were the most affected, followed by Taiwan, Mexico, and Turkey.
As of mid-June 2026, the campaign remains active, with ongoing updates to the sniffer operations and harvested data directories.
