A significant spike in brute-force traffic targeting Fortinet SSL VPNs was observed on August 3, with over 780 unique IPs triggering the Fortinet SSL VPN Bruteforcer tag. The activity was deliberate and precise, focusing on FortiOS. Two distinct waves of attacks were identified: a long-running set of brute-force activity and a sudden burst beginning August 5. The second wave shifted from targeting FortiOS to FortiManager - FGFM profile. Historical data revealed a potential residential origin or proxy use. The analysis suggests evolving attack patterns and potential reuse of tooling. Research indicates that such spikes often precede new vulnerability disclosures within six weeks. Defenders are advised to use GreyNoise to search for and block malicious IPs associated with this campaign.