Cybercrime sophistication is no longer primarily determined by technical mastery but by the ability to industrialize opportunities as well. An anonymous, Russian-speaking threat actor quietly orchestrated a campaign over five weeks ago that compromised more than 600 FortiGate devices in 55 countries, without the use of zero-day discoveries or complex exploit chains.
The technology relied instead on commercially available generative artificial intelligence services which were repurposed to automate reconnaissance, credential testing, and large-scale targeting with disturbing efficiency.
According to Amazon Threat Intelligence's findings published in January 2026, the activity occurred during this period, unfolding with a consistency indicating that process rather than improvisation played a significant role.
A noteworthy finding of the investigation is that no new FortiGate vulnerabilities have been exploited. The breach occurred as a result of identifying exposed management ports and using weak credentials protected only by single-factor authentication fundamental security weaknesses that, when amplified by artificial intelligence-assisted automation, permitted even the least sophisticated actors to operate on a global scale.
The success of the campaign was not a result of technical innovation, but rather of systematic exploitation of neglected basics, as CJ Moses, Chief Information Security Officer of Amazon Integrated Security, pointed out in the report.
Further, technical analysis indicates that less emphasis was placed on software flaws than on operational exposure during the campaign.
It appears that the actor has identified FortiGate management interfaces accessible via the public internet by scanning for services that operate on ports 443, 8443, 10443, and 4443, indicating opportunistic targeting rather than sector-specific targeting. The reconnaissance pattern suggests broad reconnaissance for administrative access.
A sustained brute force authentication attempt, using commonly reused or weak passwords was used to carry out the intrusions rather than the use of zero-day exploits, which are often associated with perimeter appliances attacks. Once administrative access had been established to the compromised firewalls, the actor was able to extract complete configuration files quickly from the compromised firewalls using complete configuration files.
Data contained in these files included highly sensitive operational information, such as SSL-VPN credentials and passwords, administrative account information, firewall policies, internal network segmentation rules, IPsec VPN configurations, routing tables, and information relating to broader network topology.
In addition to providing immediate control over the appliance, these datasets provide an in-depth blueprint of the appliance's internal environment, allowing for lateral movement and follow-up.
The investigation led to the identification of server hosting tooling associated with the campaign, which drew the attention of Amazon's security teams.
The exfiltrated configuration files were then decoded and parsed using what appeared to be artificial intelligence-assisted Python and Go utilities, thus expediting the extraction of credential information and architectural insights.
With the help of automation, the actor was able to pivot rapidly across compromised networks and expand access with methodical efficiency as a result of the reduced manual effort required to interpret firewall configurations.
After initial access to the firewall appliance, the threat actor utilized the extracted configuration information to extend control beyond the perimeter of the device.
As a result of obtaining administrative and VPN credentials from these devices, the actor was able to access internal environments and focus on directory services and identity management.
Post-compromise activities included targeting Active Directory deployments, obtaining additional credentials, and assessing privilege levels to facilitate lateral movement in several instances.
Also identified as a priority objective was backup infrastructure, including Veeam servers a practice consistent with financial motivated operations seeking the greatest amount of leverage over victim organizations.
Amazon Web Services stated that the tooling recovered during the investigation was operational, but technically unrefined. Parsing routines appeared simplified, with redundant annotations and structural patterns which suggested early stage automated code generation.
However, the utilities are still effective enough to automate the extraction and structuring of sensitive configuration data on a large scale despite these limitations.
In the actor’s methodology, breadth was favored over persistence; environments with stronger controls or imposing resistance were often deprioritized in favor of targets that were more accessible, emphasizing an approach that prioritized volume rather than stealth or advanced tradecraft.
As far as geography was concerned, the campaign did not have a clear sectoral or regional focus.
Compromises have occurred in Europe, Asia, Africa, and Latin America, suggesting an opportunistic scan and exploitation of exposed infrastructure. Analysts observed clustering patterns that suggested potential access to managed service providers or shared hosting environments, raising the possibility that one compromise could have resulted in cascading exposure to downstream clients.
It confirms a recurring conclusion in enterprise security: foundational controls remain decisive. The timing of these findings is noteworthy as it would likely have disrupted much of the observed activity if management interfaces had been restricted from public exposure, multi-factor authentication enforced, and password reuse had been eliminated.
Google issued a warning only weeks earlier that criminal actors are increasingly using generative artificial intelligence tools directly in operational workflows including its Gemini chatbot for reconnaissance, target profiling, phishing campaigns, and malware development.
It is in this context that the FortiGate intrusions illustrate how AI services are being operationalized as force multipliers for exploiting longstanding security gaps rather than as exotic capabilities.
In the following steps, after the threat actor first gained access to the firewall appliance, he used the extracted configuration data to extend control beyond the perimeter.
By utilizing the device's authentication credentials, the actor could gain access to internal environments, where directory services and identity infrastructure were of particular interest.
As part of post-compromise activities, Active Directory deployments were targeted, additional credentials were harvested, and privilege levels were assessed in order to facilitate lateral movement.
Veeam servers were also identified as a priority objective, consistent with financial motivated operations seeking to maximize leverage over victim organizations.
It was noted by Amazon that the tools recovered during the investigation were functional, but technically unrefined.
The parsing routines looked simplistic, with redundant annotations and structural patterns suggesting automated code generation in its early stages. However, despite these limitations, the utilities demonstrated sufficient effectiveness in automating the extraction and structuring of sensitive configuration data in large quantities.
A broad approach was used by the actor as opposed to persistence; environments implementing more restrictive controls or presenting resistance were frequently overlooked in favor of easier to access targets, underscoring a volume-driven strategy rather than one dependent on stealth or advanced tradecraft. Geographically, the campaign did not adhere to any specific sectoral or regional focus.
There were opportunistic scanning and exploitation of exposed infrastructure across Europe, Asia, Africa, and Latin America that resulted in compromised devices. Analysts observed clusters that indicated potential access to managed hosting environments or managed service providers, indicating that single compromises could have resulted in cascading exposures for downstream clients.
According to the broader assessment, enterprise security remains a recurrent theme: foundational controls continue to be crucial. If management interfaces had been restricted from public exposure, multi-factor authentication was enforced, and password reuse was eliminated, much of the observed activity would likely have been disrupted before escalation occurred.
The timing of these findings is noteworthy.
Google issued a warning only weeks earlier that criminal actors are increasingly using generative artificial intelligence tools directly in operational workflows including its Gemini chatbot for reconnaissance, target profiling, phishing campaigns, and malware development.
It is in this context that the FortiGate intrusions illustrate how AI services are being operationalized as force multipliers for exploiting longstanding security gaps rather than as exotic capabilities.
Upon securing VPN-based footholds, the threat actor developed a custom reconnaissance program, which was developed in parallel in Go and Python.
The goal of this program is to facilitate the systematic detection of compromised accounts after a compromise has occurred.
It is believed that Amazon’s analysis of the source code revealed multiple signs of artificial intelligence-assisted development, such as redundant commentary echoing function names, structurally simplistic design focusing disproportionately on formatting conventions, improvised JSON parsing through string matching rather than formal deserialization, and placeholder compatibility wrappers accompanied by empty documentation.
Despite being operationally adequate for the actor's immediate objectives, the tooling lacked resilience and routinely failed under edge conditions characteristics consistent with machine-generated code deployed with minimal refinement.
The utilities nevertheless allowed automatic detection of compromised environments despite these limitations. They parsed routing tables, segmented networks by size and segmentation, and executed parallel port scans, including the open-source GoGo scanner.
By identifying hosts and domain controllers exposed to SMB, they identified HTTP services that could be accessed by using Nuclei templates.
Execution instability and parsing failures were more common in hardened networks; however, the actor's strategy did not depend upon persistance in such environments. Instead, unsuccessful attempts were frequently abandoned and replaced with targets that were less protected.
As part of the investigation, operational notes containing instructions in Russian were found describing the deployment of Meterpreter payloads and mimikatz for DCSync attacks against Windows domain controllers, which were used to extract NTLM password hashes directly from Active Directory databases.
Backup infrastructure was prominently emphasized in the playbook.
During the campaign, customized PowerShell scripts were used to identify and compromise Veeam Backup and Replication servers, as well as credential extraction binaries were compiled, and exploitable vulnerabilities were attempted.
The actor's infrastructure, including a server at 212[.]11.64.250, was observed by Amazon to contain a PowerShell script titled “DecryptVeeamPasswords.ps1” explicitly designed to retrieve credentials from Veeam environments.
The targeted approach is consistent with established ransomware tactics, which involves neutralizing backup systems prior to encryption to prevent recovery. Several public vulnerabilities are referenced in the actor's documentation, including CVE-2019-7192, which affects QNAP devices, CVE-2023-27532, which affects Veeam information disclosure, and CVE-2024-40711, which affects Veeam remote code execution.
After repeated attempts to exploit patched or tightly controlled systems were unsuccessful, the operator directed attention to more accessible infrastructure rather than escalating technical effort. According to Amazon, the individual or group involved in this activity possess low-to-medium technical proficiency, with generative artificial intelligence enhancing operational capabilities.
There was evidence of at least two commercial large language model providers being integrated into the campaign workflow. By using these services, step-by-step attack methodologies were developed, custom scripts were developed across multiple languages, reconnaissance frameworks were constructed, lateral movement strategies were refined, and operational documentation was prepared.
The actor was known to have submitted to an artificial intelligence platform a complete internal network topology containing IP addresses, hostnames, credentials and enumerated services, as well as structured guidance on how to further compromise the network. As a result, commercially available artificial intelligence services are reducing technical barriers, enabling actors to operationalize complex intrusion sequences that would be beyond the scope of their native capabilities.
An independent study published by Cyber and Ramen security blog provided further technical confirmation. It was discovered that 1,402 files were distributed across 139 subdirectories on the same exposed server identified by Amazon, which included stolen FortiGate configuration backups, Active Directory mapping information, credential dumps, vulnerability assessments, and structured attack planning documents, among other items.
Among the contents of the directory were exploit code repositories, Nuclei scan templates, and Veeam credentials extraction utilities. Over 200 files, including task outputs, session differentials, and cached prompt states associated with Claude Code interactions, were reported to be in two folders labeled "claude-0" and "claude"
The configuration data and credentials related to a compromised FortiGate appliance were located in a separate directory.
This package included a custom Model Context Protocol server named ARXON, described as an intermediary framework that bridged reconnaissance datasets with commercial language models. It did not have any public references, suggesting it was specifically designed for this project.
In order to generate attack plans that were operationalized, the MCP server ingested reconnaissance output and relayed structured inputs to language models.
By deploying the CHECKER2 Go-based orchestration tool over Docker, thousands of VPN endpoints were scanned simultaneously, resulting in logs indicating more than 2,500 potential targets from over 100 countries across a broad spectrum of countries.
According to the researcher, reconnaissance data obtained from FortiGate appliances and internal networks was fed into ARXON, thereby producing structured escalation pathways based on models such as DeepSeek and Claude.
Among the outputs were recommendations on how to obtain Domain Admin privileges, prioritized credential search locations, suggested exploitation sequences, and guidelines on lateral movement.
It has been reported that certain configurations of Claude Code instances could execute offensive tooling - including Impacket scripts, Metasploit modules, and Hashcat - without manual approval, further speeding up the decision-to-action process.
Over a period of several weeks, the operational infrastructure evolved.
The initial phases relied on a free open-source HexStrike MCP framework before converting to a more automated and tailored ARXON environment approximately eight weeks later. This trajectory illustrates a deliberate effort to industrialize post-compromise analysis using artificial intelligence-mediated orchestration.
Germán Fernández of CronUp security research firm identified another exposed server hosting what appears to be artificial intelligence-generated tools that target FortiWeb appliances. Although the discovery is not directly related to the FortiGate campaign, it is a reflection of generative AI becoming increasingly woven into intrusion lifecycles, rather than a novelty.
For defenders, the implications are immediately evident AI does not replace traditional tradecraft, but rather accelerates and scales it. Independent investigations all agree that AI does not replace traditional tradecraft.
Patch edge devices, restrict the access to administrative interfaces, audit anomalous SSH and VPN activity, enforce multi-factor authentication, and harden backup systems as soon as possible to avoid becoming leverage points in automated, artificial intelligence-aided intrusions.
This study indicates that, in addition to the dramatic change in operational dynamics, there has been a significant increase in adversary sophistication.
In this campaign, moderately skilled actors are able to operate at the same pace and reach as more experienced operators as AI services can compress reconnaissance, analysis, and decision making cycles. For enterprise defenders, this lesson is neither abstract nor speculative.
Managing exposures disciplinefully, maintaining continuous credential hygiene, monitoring the identity infrastructure rigorously, and ensuring backup integrity proactive will contribute to the resilience of the organization.
When generative AI is increasingly embedded into offensive workflows, defensive strategies must evolve concurrently prioritizing visibility across edge devices, enforcing layered authentication controls, and stress testing response readiness against automation-driven intrusion patterns.
When operating in this environment, preparedness has less to do with anticipating novelty than it does with eliminating the structural weaknesses that automation is uniquely equipped to exploit at scale.
