Security firm SOCRadar reports that the large-scale “FortiBleed” campaign targeting Fortinet FortiGate devices involved the use of custom-built sniffing tools to harvest authentication secrets and credentials from compromised firewalls. The investigation expands on earlier findings that linked the operation to VPN credential exposure across more than 80,000 firewall endpoints globally.
According to SOCRadar, the campaign has been active since at least February 2026 and may have impacted over 430,000 FortiGate devices worldwide. The threat actor is believed to operate as an initial access broker, relying on credential stuffing, brute-force attacks, and credential harvesting to gain footholds in enterprise environments before extracting sensitive authentication data at scale.
At the center of the operation is a Golang-based tool referred to as “FortigateSniffer,” which abuses FortiOS’s built-in “diagnose sniffer packet” functionality to capture authentication traffic traversing affected devices. Once deployed via SSH after administrative compromise, the tool monitors network flows for credentials and authentication material across a wide range of protocols, including RADIUS, LDAP, Kerberos, NTLM, SMB, and database services such as MySQL and PostgreSQL.
Captured traffic is then processed through a pipeline that reconstructs PCAP files and extracts usable authentication data, including cleartext credentials, password hashes, and Kerberos tickets. The attackers reportedly convert this data into Hashcat-ready formats and leverage GPU-accelerated cracking infrastructure to recover additional passwords, potentially using both stolen traffic and configuration files pulled from compromised devices. Security researchers note that the campaign highlights how legitimate firewall diagnostics can be repurposed into a powerful credential-harvesting mechanism once administrative access is obtained.
