A wave of credential stuffing attacks has exposed a troubling shift in how threat actors are breaking into corporate networks — not by exploiting software vulnerabilities, but by simply logging in with stolen passwords.
At the center of this campaign are infostealer malware families, which silently harvest credentials from infected employee devices and feed them into brute-force attacks against corporate Single Sign-On (SSO) gateways, particularly F5 BIG-IP interfaces.
The activity first came to light on February 23, 2026, when threat intelligence group Defused Cyber publicly flagged a major credential stuffing campaign targeting F5 devices.
Their honeypots captured POST requests from a single source IP — 219.75.254.166, registered to OPTAGE Inc. in Japan — where the attacker was passing corporate email and password combinations at scale.
What made this attack stand out was not its volume, but its precision: the credentials looked like real, working logins tied to large multinational companies and government agencies.
Infostealers analysts identified the true origin of those credentials after running captured data against Hudson Rock’s global cybercrime database.
Out of 70 unique email-and-password combinations observed in the attack, 54 were directly matched to known infostealer infection logs — a match rate of over 77%.
These were not credentials leaked in a traditional F5 data breach. They were harvested from employee devices infected with infostealer malware, then repurposed against external infrastructure including ADFS (Active Directory Federation Services), STS (Security Token Service), and OWA portals, confirming infostealers had moved beyond data theft into coordinated network intrusion.
The scope of affected organizations was significant. Among the companies whose employee credentials appeared in the attack payload were Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, and Queensland Police.
Turkish government ministry staff and employees of major retail conglomerates were also caught in the dragnet.
Attackers cast a wide net, knowing that even a small number of valid logins against organizations without strong multi-factor authentication would be enough to gain a foothold.
The attack infrastructure added further concern. The source IP used in the campaign was traced to a compromised Fortinet FortiGate-60E firewall from OPTAGE Inc. in Japan, with open ports 541/tcp and 10443/tcp and a self-signed SSL certificate.
This showed that attackers were routing traffic through a hijacked edge device to target other edge devices — combining stolen identities with compromised network infrastructure in a dual-threat approach that is difficult to detect.
The “Log-to-Lead” Pipeline: Identity as the New Perimeter
The most technically significant aspect of this campaign is what researchers describe as the “Log-to-Lead” pipeline — an industrialized process that converts raw infostealer infection data into corporate network access within days.
When an employee device is infected, the malware silently extracts all browser-saved credentials, including SSO and ADFS master passwords.
These logs are aggregated, filtered by corporate domain value, and sold to Initial Access Brokers on dark web marketplaces.
.webp)
Attackers then purchase these credential packages and stuff them against corporate edge devices at scale until one unlocks.
The driving concept behind this pipeline is what analysts call “functional equivalence.” Devices like F5 BIG-IP are typically configured to accept the same master credentials used for Windows logins and internal portals.
When an attacker obtains an ADFS password from an infostealer log, that same credential may also open a VPN, SSO portal, or remote access gateway.
The attacker is not exploiting a software flaw — they are walking through the front door with a stolen key, and identity becomes the new perimeter.
To defend against this threat, organizations should enforce phishing-resistant MFA across all edge devices and SSO portals.
Exposed employee credentials should be monitored through dark web and cybercrime intelligence feeds before they are weaponized in stuffing campaigns.
Password reuse across internal systems must be eliminated at policy level, and endpoint security controls should catch infostealer infections before harvested credentials ever reach a dark web marketplace.
Employees should also be trained on the risks of browser-saved passwords, since these everyday habits directly supply the infostealer pipeline behind attacks like this.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
