Article updated at the bottom with additional technical details about this campaign.
Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks.
A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls.
Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network.
Moses says the compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions.
An AI-powered hacking campaign
Amazon says it learned about the campaign after finding a server hosting malicious tools used to target Fortinet FortiGate firewalls.
As part of the campaign, the threat actor targeted FortiGate management interfaces exposed to the internet by scanning for services running on ports 443, 8443, 10443, and 4443. The targeting was reportedly opportunistic rather than against any specific industries.
Rather than exploiting zero-days, as we commonly see targeting FortiGate devices, the actor used brute-force attacks with common passwords to gain access to devices.
Once breached, the threat actor extracted the device’s configuration settings, which include:
- SSL-VPN user credentials with recoverable passwords
- Administrative credentials
- Firewall policies and internal network architecture
- IPsec VPN configurations
- Network topology and routing information
These configuration files were then parsed and decrypted using what appears to be AI-assisted Python and Go tools.
“Following VPN access to victim networks, the threat actor deploys a custom reconnaissance tool, with different versions written in both Go and Python,” explained Amazon.
“Analysis of the source code reveals clear indicators of AI-assisted development: redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for language built-ins with empty documentation stubs.”Â
“While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases—characteristics typical of AI-generated code used without significant refinement.”
These tools were used to automate reconnaissance on the breached networks by analyzing routing tables, classifying networks by size, running port scans using the open-source gogo scanner, identifying SMB hosts and domain controllers, and using Nuclei to look for HTTP services.
The researchers say that while the tools were functional, they commonly failed in more hardened environments.
Operational documentation written in Russian detailed how to use Meterpreter and mimikatz to conduct DCSync attacks against Windows domain controllers and extract NTLM password hashes from the Active Directory database.Â
The campaign also specifically targeted Veeam Backup & Replication servers using custom PowerShell scripts, compiled credential-extraction tools, and attempted to exploit Veeam vulnerabilities.
On one of the servers found by Amazon (212[.]11.64.250), the threat actor hosted a PowerShell script named “DecryptVeeamPasswords.ps1” that was used to target the backup application.
As Amazon explains, threat actors often target backup infrastructure before deploying ransomware to prevent the restoration of encrypted files from backups.
The threat actors’ “operational notes” also contained multiple references to trying to exploit various vulnerabilities, including CVE-2019-7192 (QNAP RCE), CVE-2023-27532 (Veeam information disclosure), and CVE-2024-40711 (Veeam RCE).
The report says that the attacker repeatedly failed when attempting to breach patched or locked-down systems, but instead of continuing to try to gain access, they moved on to easier targets.
While Amazon believes the threat actor has a low-to-medium skill set, that skill set was greatly amplified through the use of AI.
The researchers say the threat actor utilized at least two large language model providers throughout the campaign to:
- Generate step-by-step attack methodologies
- Develop custom scripts in multiple programming languages
- Create reconnaissance frameworks
- Plan lateral movement strategies
- Draft operational documentation
In one instance, the actor reportedly submitted a full internal victim network topology, including IP addresses, hostnames, credentials, and known services, to an AI service and asked for help spreading further into the network.
Amazon says the campaign demonstrates how commercial AI services are lowering the barrier to entry for threat actors, enabling them to carry out attacks that would normally be outside their skill set.
The company recommends that FortiGate admins not expose management interfaces to the internet, ensure MFA is enabled, ensure VPN passwords are not the same as those for Active Directory accounts, and harden backup infrastructure.
Google recently reported that threat actors are abusing Gemini AI across all stages of cyberattacks, mirroring what Amazon observed in this campaign.
Custom AI toolset powers breaches
Separate research published yesterday on the Cyber and Ramen security blog provides additional technical details about how AI and large language models were incorporated directly into the intrusion campaign.
The researcher shared that the misconfigured server at 212.11.64[.]250, also found by Amazon, exposed 1,402 files, including stolen FortiGate configuration backups, Active Directory mapping data, credential dumps, vulnerability assessments, and attack planning documents.
“The server at 212.11.64[.]250:9999, hosted on AS4264 (Global-Data System IT Corporation, Zurich, Switzerland), contained 1,402 files across 139 subdirectories,” explained the threat researcher.
“Folders within the directory included CVE exploit code, FortiGate configuration files, Nuclei scanning templates and Veeam credential extraction tools. Two folders named claude-0 and claude contained over 200 files between the two, including Claude Code task outputs, session diffs, and cached prompt states.”
“A folder titled fortigate_27.123(full IP redacted) held configuration data and credentials from what appeared to be a compromised FortiGate appliance.”
Source:Â Cyber and Ramen
Included in the exposed files was a custom Model Context Protocol (MCP) server named ARXON, which acted as a bridge between reconnaissance data and commercial large language models. The researcher said they were unable to find any public references to ARXON, indicating it was likely a custom MCP framework created by the threat actor.
An MCP server acts as an intermediary layer that ingests data, feeds it into language models, and then uses the generated output with other tools. In this campaign, the ingested data was used to automate post-compromise analysis and attack planning.
A separate Go tool called CHECKER2 is a Docker-based orchestrator that was used to scan thousands of VPN targets in parallel, with logs showing more than 2,500 potential targets across 100+ countries.Â
According to the researcher, reconnaissance data collected from compromised FortiGate appliances and internal networks was fed into ARXON, which then queried large language models such as DeepSeek and Claude to generate structured attack plans.
These attack plans included instructions for gaining Domain Admin, suggested locations to search for credentials, recommended exploitation steps, and guidance on spreading laterally to other devices.
In some cases, Claude Code was configured to execute offensive tools on its own, including Impacket scripts, Metasploit modules, and hashcat, without requiring the threat actor to approve each command.
The researcher notes that the operation evolved over several weeks, with the attacker initially using an open-source HexStrike MCP framework and, about eight weeks later, moving to the automated, customized ARXON system.
This report shares Amazon’s assessment that generative AI is being used as a multiplier, allowing attackers to scale intrusions more efficiently. The researcher similarly warns that defenders should prioritize patching edge devices and auditing unusual SSH activity and VPN account creation.
CronUp security researcher Germán Fernández also found a different server exposing a directory containing what appear to be AI-generated tools targeting FortiWeb.
While these tools do not appear to be part of the FortiGate campaign, they once again show how threat actors are continuing to use AI tools to power their attacks.
Update 2/21/26: Added more technical details from Cyber and Ramen security blog and Germán Fernández.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
