logo

Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind

ID: 7314cbc9-18bd-5794-9e12-d732dc151d0d

STIX ID: report--7314cbc9-18bd-5794-9e12-d732dc151d0d

Feed Name: CloudSEK Blog

Threat Score
75/100

Date Published: 2026-06-19

Date Updated: 2026-06-20

...
...

**CloudSEK analysis of the "FortiBleed" operation:** a large-scale criminal credential-harvesting and access-for-sale campaign targeting internet-facing Fortinet devices (and other web-login appliances) whose exposed attacker server revealed scanners, a Hashtopolis-based cracking pipeline, credential and target catalogues, post-exploitation AD tooling, and live VPN access; while ~21,632 entries were advertised, the operators' own tooling shows ~918 organisations with captured internal traffic and only ~148 confirmed AD compromises, and the report includes multiple IP indicators and actionable mitigations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.