Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory
Essential information
- Published
- 24/06/2026 05:38
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential harvesting credential stuffing cyberstrike harvester ekz infostealer file exfiltration fortibleed fortigate hashcat kerberos password spraying ssl vpn
- Related entities
- 3 vulnerabilities (cve), 8 indicators, 2 observables, 21 techniques (mitre), 2 malware
Description
FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. The operation employs a sophisticated credential pipeline utilizing credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing. Reverse engineering of the CyberStrike Harvester v1.5 binary revealed a comprehensive workflow converting FortiGate access into multi-protocol credential extraction, hash cracking via Hashcat/Hashtopolis GPU clusters, VPN-bound Active Directory and SMB access, and file-share exfiltration. The campaign affected devices across 194 countries and uses a seven-VM Kali lab infrastructure with automated tooling including FortiGate Sniffer panels, Telegram-orchestrated cracking bots, and Python/Impacket-based lateral movement tools. One documented exfiltration operation collected 121.43 GB from internal file shares. The operation appears to function as initial-access brokerage wi...