FortiBleed Campaign: Reverse Engineering the CyberStrike Harvester Behind Global FortiGate Credential Theft
By
Arctic Wolf Labs
10d ago· 22 min readenInsight
Summary
FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways. Unlike typical malware-based attacks, it uses a credential pipeline combining credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing. Arctic Wolf researchers reverse-engineered a recovered CyberStrike Harvester binary and connected it to the broader FortiBleed operator workflow, demonstrating how exposed perimeter credentials can escalate into full internal-network compromise.
Source

Key quotes
· 3 pulledFortiBleed is a large-scale credential compromise campaign that targets internet-facing Fortinet FortiGate firewalls and SSL VPN gateways.
The campaign does not depend on a malware payload; instead, it uses a credential pipeline that utilizes credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing.
Arctic Wolf reverse-engineered a recovered CyberStrike Harvester binary and connected it to the broader FortiBleed operator workflow, showing how exposed perimeter credentials can quickly become full internal-network exposure.
Arctic Wolf reverse-engineered a recovered CyberStrike Harvester binary and connected it to the broader FortiBleed operator workflow, showing how exposed perimeter credentials can quickly become full internal-network exposure.
You might also wanna read
FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
thehackernews.com·2d ago

FortiBleed credential-theft campaign linked to Lynx ransomware
BleepingComputer·3d ago
WAF - WAF Release - 2026-03-30
Cloudflare·3mo ago
WAF - WAF Release - 2026-07-01
Cloudflare·4d ago
WAF - WAF Release - 2025-09-01
Cloudflare·10mo ago
Early Exploitation of React2Shell Vulnerability (CVE-2025-55182) Targets Critical Infrastructure
The article details early exploitation activity following the public disclosure of the critical React2Shell vulnerability (CVE-2025-55182).

Comments
Sign in to join the conversation.
No comments yet. Be the first.