Security firm **SOCRadar** has unveiled new details on the ongoing "FortiBleed" campaign, which targets **Fortinet FortiGate** devices worldwide. The operation, active since at least February 2026, has reportedly targeted over 430,000 **FortiGate** firewalls, leading to the exposure of VPN credentials for more than 80,000 devices. ### Initial Access and Custom Tooling **SOCRadar** identifies the threat actor behind FortiBleed as an initial access broker (IAB), employing credential stuffing, brute-force attacks, credential harvesting, and offline password cracking to infiltrate corporate networks. A key finding is the alleged use of a Golang-based tool named "FortigateSniffer." This sophisticated tool abuses **FortiOS's** legitimate `diagnose sniffer packet` functionality to capture authentication traffic directly from compromised **FortiGate** devices. According to **SOCRadar**, "FortigateSniffer" monitors traffic across 24 protocols, parsing authentication data and extracting credentials, password hashes, and authentication secrets from protocols like RADIUS, NTLM, Kerberos, and LDAP. ### Sniffing for Secrets Once administrative access is gained through methods like credential stuffing, the "FortigateSniffer" framework is deployed. The tool connects to **FortiGate** devices via SSH and initiates the `diagnose sniffer packet` command. This built-in **FortiOS** diagnostic tool, typically used by administrators for troubleshooting network issues, is configured by the attackers to monitor traffic for a wide array of authentication and remote access services, including Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet. Packet data collected by the sniffer is then processed by a component called "SNIFTRAN," which reconstructs the captured traffic into PCAP files.  ### Advanced Credential Cracking These PCAP files are further analyzed by a Python-based "PCAP Deep Analysis Toolkit." This toolkit extracts cleartext credentials, password hashes, Kerberos tickets, NTLM authentication material, email credentials, and database credentials from the network traffic. Crucially, the toolkit generates **Hashcat**-ready files for NTLM and Kerberos hashes, and extracts cleartext credentials where available. The threat actors then leverage the GPU-based **Hashcat** utility, running on a distributed GPU cluster, to crack these hashed credentials at an alarming rate. Cybersecurity expert **Kevin Beaumont** further suggested that attackers also obtained hashed credentials by directly downloading **FortiGate** configuration files from compromised devices. He noted that the attackers rented 36 enterprise-class GPUs from a GenAI company, dedicating these powerful resources to password cracking rather than AI tasks. ### Call to Action for Fortinet Users While **Fortinet** initially stated that the incident involved a collection of previously compromised credentials, **SOCRadar's** report indicates an active and ongoing campaign. **Kevin Beaumont** has published a [list of IP addresses](http://owned.lab6.com/~gossi/research/public/fortibleed/some-fortibleed-ips.txt) targeted in this campaign. Organizations utilizing **FortiGate** devices are strongly advised to review this list and conduct thorough investigations to determine if any of their systems have been targeted or compromised. Proactive measures, including strong, unique passwords, multi-factor authentication, and regular security audits, are essential to mitigate risks associated with such sophisticated campaigns.