New FortiBleed campaign uses custom sniffer to steal FortiGate credentials

The latest findings from security firm SOCRadar reveal that the FortiBleed campaign, a large-scale operation targeting Fortinet FortiGate firewalls, employed custom-built sniffers to harvest authentication secrets and steal credentials from compromised devices. This activity, detailed in a report published today, builds on earlier research that uncovered a trove of Fortinet VPN credentials linked to over 80,000 firewall URLs globally.

According to SOCRadar, the campaign has been active since at least February 2026 and has targeted more than 430,000 FortiGate firewalls worldwide. The threat actor behind this operation functions as an initial access broker (IAB), leveraging a combination of credential stuffing, brute-force attacks, credential harvesting, and offline password cracking to infiltrate corporate networks.

A key discovery in the report is the use of a Golang-based tool named FortigateSniffer. This tool exploits FortiOS’s built-in diagnose sniffer packet functionality, a legitimate diagnostic feature, to intercept authentication traffic passing through compromised FortiGate devices. SOCRadar explains that attackers abused this feature to capture credentials from network flows, including data from protocols such as RADIUS, NTLM, Kerberos, and LDAP. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network streams.

While Fortinet previously told BleepingComputer that the incident stems from previously compromised credentials rather than a new vulnerability, SOCRadar’s report paints a picture of an ongoing campaign actively compromising FortiGate VPN devices. The attackers first gain administrative access through credential stuffing and brute-force attacks, then deploy the FortigateSniffer framework via SSH connections. This tool triggers the diagnose sniffer packet command, a standard FortiOS diagnostic tool used by admins for troubleshooting connectivity and authentication issues. The command was configured to monitor traffic for authentication protocols and remote access services, including Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet.

Captured packet data is processed through a component called SNIFTRAN, which reconstructs the traffic into PCAP files. These files are then parsed by a Python-based PCAP Deep Analysis Toolkit, which extracts cleartext credentials, password hashes, Kerberos tickets, NTLM authentication material, email credentials, database credentials, and other authentication artifacts. The toolkit also generates Hashcat-ready files containing NTLM and Kerberos hashes, and extracts cleartext credentials from protocols like SMTP, IMAP, POP3, MySQL, and RADIUS when available.

To crack the hashed credentials, the threat actors allegedly used the GPU-based Hashcat password cracking utility running on a distributed GPU cluster. In an update from cybersecurity expert Kevin Beaumont, published on Friday, he suggests that attackers also obtained hashed credentials by downloading FortiGate configuration files from compromised devices. These hashes were then cracked using Hashcat and 36 enterprise-class GPUs. Beaumont notes, “The password cracking was hosted at a GenAI company which rents GPU compute. The attacker rented 36 enterprise class GPUs , more than most large orgs have for internal AI efforts , and instead of using it for AI tasks, they used them for password cracking. Enterprise GPUs can crack passwords at scale very quickly.”

For organizations managing Fortinet devices, Beaumont has published a list of IP addresses targeted in this campaign. Administrators should review this list and investigate whether any of their systems were targeted or compromised.