Hackers are using commercial AI models DeepSeek and Claude to automate attacks against FortiGate firewalls worldwide, turning basic misconfigurations into a high‑volume intrusion campaign.
In early February 2026, a misconfigured SimpleHTTP server running on 212.11.64[.]250:9999 was found exposing more than 1,400 files and 139 subdirectories, including stolen FortiGate configurations, Active Directory maps, credential dumps, exploit code, and detailed attack playbooks.
The infrastructure was hosted by a provider in Switzerland and appeared in Hunt.io’s Attack Capture as an active command‑and‑control and staging point, not just a passive file share.
Across both exposures, the data linked to confirmed intrusions against an industrial gas company in the Asia‑Pacific region, a telecom provider in Turkey, and a large media company in Asia, with reconnaissance references to additional targets in South Korea, Egypt, Vietnam, and Kenya.
Historical telemetry showed the same host had exposed a similar open directory in mid‑December 2025, containing many of the same tools plus additional victim data.
Logs and SSH histories from the same server showed it directly modifying FortiGate configurations on appliances in multiple countries, confirming the host’s operational role in live attacks.
LLMs embedded in the intrusion workflow
Unlike research scenarios where AI helps discover new vulnerabilities, the models here were used to scale routine post‑compromise work.
DeepSeek was tasked with ingesting reconnaissance output and FortiGate backup configurations to generate structured attack plans, including prioritized paths to Domain Admin, key credential hunting locations, and high‑value internal targets such as Oracle databases and biometric devices.
Claude’s coding agent produced vulnerability assessment reports during active intrusions and was configured to run offensive tooling Impacket scripts, Metasploit modules, and hash‑cracking utilities against victim networks with little or no human approval.
A custom Model Context Protocol (MCP) server named ARXON acted as a bridge between collected data and the language models, maintaining a growing knowledge base per target.
ARXON automated the flow: ingest stolen VPN and FortiGate configs, derive internal topology, call DeepSeek for attack planning, then feed Claude with tasks tied to specific scripts on the victim environment.
A second component, CHECKER2, written in Go and deployed via Docker, orchestrated parallel VPN scanning and target processing, with logs showing more than 2,500 FortiGate appliances across over 100 countries queued for automated access attempts.
The most complete trail of files documented an intrusion into an industrial gas company, where attackers already held administrative access to a FortiGate‑40F branch firewall.
Using read‑only privileges, they pulled a full configuration backup that exposed network topology for headquarters, branches, guest, and management networks, along with SSL VPN settings and 50 named VPN users.
The configuration also contained LDAP bind details for Active Directory; by pairing this with scripts exploiting Fortinet’s CVE‑2019‑6693 hard‑coded encryption key issue, the attackers likely decrypted stored credentials and verified them against the domain controller.
Armed with valid domain credentials and a detailed network map, the actor pivoted over SSL VPN into internal segments and launched automated discovery.
Claude Code generated a vulnerability assessment that highlighted a QNAP NAS and Veeam backup server with SMB signing disabled, while logs showed Impacket’s ntlmrelayx.py running to relay NTLM authentication and capture hashes in real time.
Reading through the documents within the fortigate_27.123* folder indicated the starting point was a FortiGate-40F appliance at a branch office, accessed through a read-only admin account.
Directory analysis revealed that ARXON and CHECKER2 formed the backbone of the operation, enabling a likely single operator to manage thousands of FortiGate‑centric intrusions in parallel.
ARXON also hosted scripts to bulk‑create FortiGate VPN accounts, adjust firewall policies, and test for Domain Admin privileges, tightening the feedback loop between AI‑generated plans and on‑disk tooling.
The December 2025 exposure captured an earlier phase of the same actor using HexStrike, an open‑source MCP framework that lets language models control penetration‑testing tools.
A Claude configuration file from that period pre‑authorized the model to run Impacket (secretsdump, psexec, wmiexec), Metasploit, and hashcat using hard‑coded domain credentials for a major media company, eliminating interactive approval for each command.
A deployment log showed a 102 MB archive of FortiGate configurations, grouped by country, being shipped to a separate Kali server at 185.196.11[.]225, where containers would ingest each config, attempt VPN access, map internal networks, and push results back into ARXON for LLM‑driven triage.
By February, the operator had replaced HexStrike with custom ARXON and CHECKER2 components, indicating a shift from semi‑manual AI‑assisted testing to a fully automated exploitation pipeline focused on FortiGate edge devices.
Threat intelligence reporting from multiple vendors now links this infrastructure to a Russian‑speaking, financially motivated actor who compromised more than 600 FortiGate firewalls in at least 55 countries between January and mid‑February 2026, largely by abusing exposed management interfaces and weak, single‑factor credentials rather than zero‑day exploits.
For defenders, the case underlines several priorities: aggressively reduce attack surface by closing public FortiGate management ports, enforce strong MFA on all VPN and admin access, and promptly patch widely exploited Fortinet flaws such as CVE‑2019‑6693 and newer FortiOS issues.
Continuous monitoring for unauthorized VPN accounts, unexpected SSH logins from unfamiliar infrastructure, and silent policy changes on edge firewalls is equally critical as AI‑driven workflows compress the time between initial compromise, lateral movement, and domain dominance.
Indicators of Compromise
| IP Address | Domain | ASN |
| 212.11.64[.]250:9999 | N/A | Global-Data System IT Corporation |
| 185.196.11[.]225 | N/A | Global-Data System IT Corporation |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
