AI-Powered Hacker Compromises 600+ FortiGate Devices Worldwide

Published Date: February 24, 2026
Category: ShadowOpsIntel
Share:

A Russian-speaking, financially motivated threat actor likely an individual or small group is leveraging multiple commercial Large Language Models (LLMs) to conduct large-scale cyberattacks. Between January 11 and February 18, 2026, the actor compromised over 600 FortiGate devices across more than 55 countries. This campaign is notable for its “AI-powered assembly line” approach, which allows an unsophisticated actor to achieve the operational scale of a much larger, more skilled team.

Severity: High

Threat Actor Profile

  • Origin & Motivation: Russian-speaking and financially motivated.
  • Sophistication: Technically limited; relies on AI to bridge skill gaps, automate manual tasks.
  • Behavioral Pattern: Opportunistic targeting. When encountering hardened defenses, the actor moves to “softer” targets rather than persisting.

Role Of Generative Ai (Llms) In The Kill Chain

Actor uses services like DeepSeek & Claude to automate every phase of the intrusion workflow:

  • Triaging and Analysis: LLMs process reconnaissance data to identify critical internal targets (e.g., Oracle databases, biometric devices).
  • Attack Planning: DeepSeek is specifically used to generate detailed attack plans based on initial recon.
  • Vulnerability Assessment: Claude’s coding agent produces live reports and documents targets, such as QNAP NAS and Veeam Backup servers.
  • Autonomous Tool Execution: A custom Model Context Protocol (MCP) bridge allows Claude Code to autonomously run offensive tools (e.g., Impacket, Metasploit, hashcat) without manual approval for each command.

Custom Tooling

The actor evolved from public frameworks to custom-built tools between December 2025 and February 2026:

  • CHECKER2: A Go-based Docker orchestrator for parallel VPN scanning & target processing.
  • ARXON MCP: A Python-based server that integrates LLM analysis with offensive scripts, maintaining a persistent knowledge base of targets.
  • HexStrike: An open-source framework used in earlier (Dec 2025) phases of the campaign.

Victimology & Targets

  • Geographic Scope: Global, with confirmed compromises in Turkey (telecom), Asia-Pacific (industrial gas), and Asia (media).
  • Targeted Vulnerabilities:
    • CVE-2023-27532: Veeam Backup & Replication.
    • CVE-2019-7192: QNAP NAS access.
    • CVE-2026-24061: Possible targeting of ZKSoftware biometric devices.
    • CVE-2025-33073: SMB.

Source:

  • https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/
  • https://cyberandramen.net/2026/02/21/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert