FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways.
Unlike traditional malware campaigns, FortiBleed relies on credential harvesting, offline password cracking, and authenticated access rather than deploying a malware payload.
Arctic Wolf’s reverse engineering of the CyberStrike Harvester provides new insight into how attackers transform compromised perimeter credentials into broader access across enterprise networks.
Key Takeaways of FortiBleed and CyberStrike Harvester
- FortiBleed is a credential-focused campaign that targets internet-facing Fortinet FortiGate devices using credential stuffing, password spraying, and offline password cracking instead of malware.
- Arctic Wolf’s analysis of the CyberStrike Harvester revealed an automated pipeline that extracts, cracks, and validates credentials for follow-on attacks.
- Recovered credentials enabled deeper enterprise access, allowing attackers to authenticate to VPNs, enumerate Active Directory, access SMB shares, and exfiltrate sensitive data.
- The campaign has not been attributed to a known threat actor, although researchers assess with low confidence that the operators are likely Russian-speaking.
What Is FortiBleed?
FortiBleed is the name given to a global credential compromise campaign affecting Fortinet FortiGate devices.
Researchers found that attackers systematically targeted exposed FortiGate management interfaces and SSL VPN gateways using credential stuffing, password spraying, configuration harvesting, offline password cracking, and post-authentication credential collection.
Rather than exploiting a confirmed Fortinet vulnerability, the campaign focuses on obtaining valid credentials that can be reused throughout an organization’s environment.
Public reporting estimates that tens of thousands of FortiGate devices across 194 countries have been affected, although reported totals vary by source.
Reverse Engineering the CyberStrike Harvester
Arctic Wolf analyzed a recovered CyberStrike Harvester binary and found that it serves as the central component of an automated credential processing pipeline.
The Go-based Linux executable processes packet captures, FortiGate text exports, and other network artifacts to extract authentication data.
This recovered information includes NetNTLM hashes, Kerberos tickets, session cookies, tokens, VPN credentials, email accounts, SQL logins, LDAP credentials, and RADIUS authentication data.
Researchers also confirmed that the tool produces Hashcat ready output files, allowing operators to quickly crack recovered hashes and convert captured network traffic into usable credentials for additional attacks.
A Multi-Stage Credential Pipeline
Unlike conventional malware operations, FortiBleed functions as an integrated credential ecosystem rather than a malware delivery platform.
The campaign begins by targeting internet-facing FortiGate devices before harvesting configuration files and captured traffic.
CyberStrike Harvester extracts credentials and authentication artifacts, while automated cleanup scripts remove duplicate or invalid data to improve password-cracking efficiency.
Operators then use distributed Hashcat infrastructure, Hashtopolis, GPU workers, and a Telegram-based management bot to crack credentials at scale.
Once passwords are recovered, the results are correlated with victim organizations using domain, geographic, and revenue-enrichment data to prioritize high-value targets.
This automated workflow allows attackers to rapidly convert compromised perimeter access into validated enterprise credentials.
Internal Network Access and Data Collection
Recovered credentials frequently enabled authenticated SSL VPN access into victim environments.
Researchers observed operators using openfortivpn along with Python-based Impacket tools to enumerate Active Directory environments, validate Kerberos tickets, authenticate to SMB shares, and identify privileged accounts.
Once internal access was established, automated scripts searched file shares for sensitive documents before collecting data over encrypted SSH connections.
One recovered log documented a successful file-share exfiltration totaling more than 121 GB, illustrating how stolen credentials can quickly escalate from perimeter access to significant data theft.
Attribution Remains Unclear
Although recovered tooling included CyberStrike branding, Russian-language interface strings, and the Telegram handle “@Clarksome,” Arctic Wolf did not attribute the campaign to a known threat actor.
Researchers assessed with low confidence that the operators are likely Russian-speaking but concluded that available evidence is insufficient to identify a specific cybercriminal group.
Instead, they believe the campaign most closely resembles an initial-access brokerage or credential monetization operation that selectively pursues high-value organizations after broad credential collection.
Bottom Line
Attackers combined credential theft, cracking, VPN access, AD enumeration, and file-share collection into a repeatable path from exposed devices to enterprise compromise.
Organizations using Fortinet FortiGate devices should go beyond just patching by rotating credentials, invalidating sessions, and monitoring VPN, Active Directory, and SMB activity.
As credential-focused attacks continue to evolve, organizations should strengthen their zero trust strategies by combining layered identity security with continuous monitoring and strong access controls.