216.73.217.80

Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory

· Published 24/06/2026 05:38

Export JSON

Essential information

Published
24/06/2026 05:38
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
credential harvesting credential stuffing cyberstrike harvester ekz infostealer file exfiltration fortibleed fortigate hashcat kerberos password spraying ssl vpn
Related entities
3 vulnerabilities (cve), 8 indicators, 2 observables, 21 techniques (mitre), 2 malware

Description

FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet firewalls and gateways globally. The operation employs a sophisticated credential pipeline utilizing , , configuration harvesting, offline cracking, and post-authentication capture processing. Reverse engineering of the CyberStrike Harvester v1.5 binary revealed a comprehensive workflow converting access into multi-protocol credential extraction, hash cracking via Hashcat/Hashtopolis GPU clusters, VPN-bound Active Directory and SMB access, and file-share exfiltration. The campaign affected devices across 194 countries and uses a seven-VM Kali lab infrastructure with automated tooling including Sniffer panels, Telegram-orchestrated cracking bots, and Python/Impacket-based lateral movement tools. One documented exfiltration operation collected 121.43 GB from internal file shares. The operation appears to function as initial-access brokerage wi...

External references