{
  "name": "Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory",
  "slug": "inside-fortibleed-reverse-engineering-the-cyberstrike-harvester-behind-a-global-fortigate-credential-factory",
  "description": "FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. The operation employs a sophisticated credential pipeline utilizing credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing. Reverse engineering of the CyberStrike Harvester v1.5 binary revealed a comprehensive workflow converting FortiGate access into multi-protocol credential extraction, hash cracking via Hashcat/Hashtopolis GPU clusters, VPN-bound Active Directory and SMB access, and file-share exfiltration. The campaign affected devices across 194 countries and uses a seven-VM Kali lab infrastructure with automated tooling including FortiGate Sniffer panels, Telegram-orchestrated cracking bots, and Python/Impacket-based lateral movement tools. One documented exfiltration operation collected 121.43 GB from internal file shares. The operation appears to function as initial-access brokerage wi...",
  "published": "2026-06-24T03:38:20.598000+00:00",
  "created_at": "2026-06-24T17:46:12.632000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-24T17:46:12.632000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "credential harvesting",
    "credential stuffing",
    "cyberstrike harvester",
    "ekz infostealer",
    "file exfiltration",
    "fortibleed",
    "fortigate",
    "hashcat",
    "kerberos",
    "password spraying",
    "ssl vpn"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "4eedeba1-171c-41ec-af2d-c1b0d8078f36",
        "name": "CVE-2026-25089"
      },
      {
        "id": "64250bad-f1f8-48b8-8a02-0f785ae24b4d",
        "name": "CVE-2026-0257"
      },
      {
        "id": "0919c8b4-bccd-4820-9dbc-cf5d0975b56f",
        "name": "CVE-2026-35616"
      }
    ],
    "indicators": [
      {
        "id": "162bafe3-7970-45d2-a9fe-c311ec494a75",
        "name": "874bcb1c3d050a5b5b333a2198f504fcb27927c2abdd43b07440188a380c52d5"
      },
      {
        "id": "fc2fc5e1-d989-47ab-82f1-53dd638db476",
        "name": "193.8.187.42"
      },
      {
        "id": "4d47f544-a96c-4cf2-b436-099d25418ce0",
        "name": "2758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98"
      },
      {
        "id": "9505eba2-6034-4e66-b1b2-f8206c1c2217",
        "name": "85.11.187.8"
      },
      {
        "id": "edcd5acb-5d13-4bdc-a381-9113537f5cba",
        "name": "4253dd1a4c0867b0be7732f75b2f630cebfb7fed94270e15fb3b12ae40546d01"
      },
      {
        "id": "ddcf380b-c6d4-4011-bd6b-2516edb63d1a",
        "name": "479ae5fd7274439ddfa27bc03298ebfdfc5ff17f6412acccf74d4dbd90d94218"
      },
      {
        "id": "1212b155-e60e-4fce-a586-59468c55d6ac",
        "name": "9eaa577c8ba71646928c1c34c3145536b0498f65f26060a6ba00744bcef57644"
      },
      {
        "id": "cd7150fe-691e-4968-b5a4-0ca6d7554cbc",
        "name": "38353f95fff270f4e3a9d7add8c64666020dd668ce66e15969a736ec48cadc59"
      }
    ],
    "attack_patterns": [
      {
        "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab",
        "name": "T1087.002"
      },
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "ed82bdd1-d346-48d1-98de-36a9a0a96489",
        "name": "T1040"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "aac924fa-f9ae-4d95-8278-ef958e8c682f",
        "name": "T1558.004"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "4ad07171-7f93-428f-85e3-c2470aeb1278",
        "name": "T1110.003"
      },
      {
        "id": "fd6a3ae8-f3af-41a6-9292-09912a059105",
        "name": "T1558.003"
      },
      {
        "id": "a1de6d30-7fd6-4352-8f6c-d9904347f33f",
        "name": "T1039"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "c43c6d21-5bbc-4bf0-a8a9-4834188d6927",
        "name": "T1602.002"
      },
      {
        "id": "6fad55e3-6abc-46aa-b5af-23923e5d6485",
        "name": "T1110.004"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "28784df4-38e7-4195-b0aa-bd35746dfbe7",
        "name": "T1069.002"
      },
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "3245033a-53c4-454c-873a-fb653af0bf8a",
        "name": "T1552"
      },
      {
        "id": "8cbc2f51-59d4-4d90-aeb6-78147b810cec",
        "name": "T1048.002"
      },
      {
        "id": "a831f7c4-a7f0-4243-8211-1cd44fa34fa7",
        "name": "T1020"
      },
      {
        "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5",
        "name": "T1135"
      }
    ],
    "malware": [
      {
        "id": "a2c3f77e-cd68-4806-a321-97f02c385c8b",
        "name": "EKZ Infostealer",
        "slug": "ekz-infostealer"
      },
      {
        "id": "10b9da23-0cae-4ed1-9bfb-9f9b230b339d",
        "name": "CyberStrike Harvester",
        "slug": "cyberstrike-harvester"
      }
    ],
    "observables": [
      {
        "id": "bb594f09-1354-4b17-8c4a-16c20835e3f1",
        "name": "193.8.187.42"
      },
      {
        "id": "4d2784a8-7d47-47f5-9f68-0601ae605d03",
        "name": "85.11.187.8"
      }
    ]
  },
  "external_refs": [
    {
      "id": "7af8d4ef-7454-4efb-9ff9-98dab5f59aea",
      "standard_id": "external-reference--37680be1-cddb-520b-a0a6-256602d6fb0e",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3b512cc6365025ee5f1d3e",
      "hash": null,
      "external_id": "6a3b512cc6365025ee5f1d3e",
      "created": "2026-06-24T17:46:09.716Z",
      "modified": "2026-06-24T17:46:09.716Z",
      "createdById": null
    },
    {
      "id": "8b2a72ef-1e48-4d49-a6d2-fb45542720e9",
      "standard_id": "external-reference--50377002-366b-5632-a66a-bb00578504f9",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://arcticwolf.com/resources/blog/inside-fortibleed-reverse-engineering-the-cyberstrike-harvester-behind-a-global-fortigate-credential-factory/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-24T17:46:09.745Z",
      "modified": "2026-06-24T17:46:09.745Z",
      "createdById": null
    }
  ]
}