A threat actor with limited technical skills just compromised over 600 enterprise firewalls across 55 countries in 38 days — not by discovering new vulnerabilities, but by using commercial AI tools to do the hard parts for them. This is the new normal, and it is happening right now.
On February 20, 2026, Amazon's Chief Information Security Officer CJ Moses published a detailed threat intelligence report on the AWS Security Blog documenting one of the clearest real-world examples yet of AI being used as a weapon in cyberattacks. It is a case study that belongs in every cybersecurity training program because it proves something the industry has been warning about for years: you do not need to be technically sophisticated to cause serious damage anymore. You just need access to an AI chatbot and a target with bad security hygiene.
The report describes a campaign observed by Amazon Threat Intelligence between January 11 and February 18, 2026, in which a Russian-speaking, financially motivated threat actor used multiple commercial generative AI services to compromise more than 600 Fortinet FortiGate network appliances across more than 55 countries. Importantly, Amazon confirmed that no AWS infrastructure was involved in this campaign — the attacker used non-AWS commercial AI services to carry out the operation. This was not a nation-state operation. It was not an advanced persistent threat group. Based on Amazon's analysis, it was likely a single individual or very small group — people who, without AI, would not have had the capability to conduct an operation at this scale.
What Happened
Amazon Threat Intelligence stumbled on this campaign the way investigators sometimes catch criminals — through the attacker's own careless operational security. The threat actor had left their entire operational toolkit sitting on a publicly accessible SimpleHTTP server at 212.11.64.250, hosted by a provider in Switzerland. That server exposed over 1,400 files across 139 subdirectories — including AI-generated attack plans, stolen victim configurations, custom tool source code, credential dumps, and complete Active Directory maps. That mistake gave Amazon an unusually complete picture of exactly how the attack worked from start to finish. Separately, independent threat researcher Cyber and Ramen identified the same infrastructure through Hunt.io's Attack Capture service and published a detailed technical breakdown of the AI tooling involved.
"It's like an AI-powered assembly line for cybercrime, helping less skilled workers produce at scale." — CJ Moses, CISO, Amazon Integrated Security (AWS Security Blog, February 20, 2026)
The targets were FortiGate appliances — a widely deployed line of enterprise firewalls and VPN concentrators made by Fortinet. These devices sit at the edge of organizational networks and are critical infrastructure. Compromising one gives an attacker a foothold inside a private network, access to credentials, and a clear map of everything behind it. The attacker hit over 600 of them in just over five weeks.
No zero-day vulnerabilities were used in this campaign. Every device was compromised through exposed management interfaces and weak or reused credentials — security failures that have solutions available right now.
How They Got In
The entry point was straightforward: FortiGate management interfaces left exposed to the public internet, protected only by weak passwords and single-factor authentication. The attacker scanned for management interfaces across ports 443, 8443, 10443, and 4443, then attempted authentication using commonly reused credentials. When they found one that worked, they pulled the device's full configuration file.
Those configuration files are extraordinarily valuable. According to Amazon's report, a FortiGate configuration file contains SSL-VPN user credentials with recoverable passwords, administrative credentials, complete network topology and routing information, firewall policies that reveal internal architecture, and IPsec VPN peer configurations. In other words, one successfully extracted config file essentially hands an attacker a detailed map of the entire network behind that device, along with the keys to walk through the door.
The attacker used AI-assisted Python scripts to parse, decrypt, and organize the stolen configurations at scale — processing data from hundreds of devices automatically, turning raw config files into structured intelligence packages ready for the next phase of the attack.
"No exploitation of FortiGate vulnerabilities was observed — instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale." — CJ Moses, CISO, Amazon Integrated Security (AWS Security Blog, February 20, 2026)
Geographically, the targeting was opportunistic rather than sector-specific. The attacker scanned broadly and hit whatever was vulnerable. Compromised devices were clustered across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. In some cases, the attacker compromised multiple FortiGate devices belonging to the same organization — hitting managed service providers or large enterprise networks where several appliances shared the same misconfiguration.
AI as a Force Multiplier
This is the part of the story that changes everything. The attacker's technical baseline was assessed by Amazon as low to medium — capable of running standard offensive tools and automating routine tasks, but unable to compile custom exploits, debug failed attacks, or creatively adapt when a standard approach hit a wall. On their own, this actor could not have executed a campaign at this scale. With AI, they did it in 38 days.
Amazon Threat Intelligence identified the use of at least two distinct commercial large language model providers throughout the operation. Amazon's report does not name the specific tools. However, independent analysis by security researcher Cyber and Ramen, who examined the same exposed server, identified the tools as DeepSeek and Anthropic's Claude — with folders labeled "claude" and "claude-0" in the exposed directory containing outputs and prompt histories. The division of labor between them was specific: DeepSeek was used to ingest reconnaissance output and generate structured attack plans, while Claude — specifically Claude Code — produced vulnerability assessment reports and was configured to autonomously execute offensive tools including Impacket scripts, Metasploit modules, and hashcat against victim networks, in some cases without requiring the threat actor to approve each individual command.
Connecting those AI tools to the campaign infrastructure was a custom-built Model Context Protocol (MCP) server the attacker named ARXON. MCP servers act as intermediaries: ARXON ingested stolen FortiGate configurations and internal network maps, maintained a growing knowledge base per target, called DeepSeek or Claude to generate structured attack plans, and fed the AI-generated instructions back into the operational workflow. A companion tool named CHECKER2 — a Docker-based Go application — handled parallel VPN scanning across thousands of endpoints simultaneously. Logs recovered from the server showed over 2,500 potential targets catalogued across more than 100 countries, far exceeding the 600+ devices ultimately confirmed as compromised.
The operation went through a documented evolution. An earlier exposure of the same server infrastructure in December 2025 showed the attacker at an earlier stage, using HexStrike — an open-source offensive MCP framework that lets language models control penetration testing tools — alongside a Claude Code configuration file that pre-authorized the model to run Impacket, Metasploit, and hashcat using hard-coded domain credentials. By February 2026, roughly eight weeks later, the attacker had replaced HexStrike with the custom ARXON and CHECKER2 components, indicating a deliberate shift from semi-manual AI-assisted testing to a fully automated exploitation pipeline.
Attack Planning
The attacker used AI to generate comprehensive, step-by-step attack methodologies — complete with expected success rates, time estimates, and prioritized task trees. Amazon notes that these plans referenced academic research on offensive AI agents, suggesting the actor actively reads emerging literature on AI-assisted penetration testing and uses it to improve their prompting. The AI produced technically accurate command sequences for each phase of the operation.
Tool Development
The attacker's infrastructure contained numerous scripts in multiple programming languages — configuration parsers, credential extraction tools, VPN connection automation, mass scanning orchestration, and result aggregation dashboards. According to Amazon, the volume and variety of this custom tooling would ordinarily indicate a well-resourced development team. Instead, a single actor or very small group generated the entire toolkit through AI-assisted development.
Amazon's code analysis revealed the telltale signs of AI-generated code: redundant comments that simply restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching instead of proper deserialization, and compatibility shims for language built-ins with empty documentation stubs. Functional for the attacker's specific use case, but brittle — and it showed. The tooling failed under edge cases throughout the campaign.
Live Operational Support
The most striking use of AI was during active operations. In one documented instance, the attacker submitted the complete internal topology of a live victim network to an AI service — IP addresses, hostnames, confirmed credentials, and identified services — and asked for a step-by-step plan to compromise additional systems they could not reach with their existing tools. A second AI provider was used as a fallback when the primary tool could not help with a specific pivot scenario.
The attacker's AI dependency was also a limitation. When conditions differed from what the AI had planned for, the attacker could not adapt. They could not compile custom exploits or debug failed attempts. When they hit a hardened target, they moved on rather than persisting — because they lacked the underlying skill to improvise. AI gave them scale and speed, not depth.
What Happened After They Got In
Once inside a victim's VPN, the attacker deployed a custom reconnaissance tool written in both Go and Python — AI-generated, as evidenced by the code quality markers described above. The tool automated the entire post-access discovery workflow: ingesting target networks from VPN routing tables, classifying them by size, running service discovery using the open-source port scanner gogo, automatically identifying SMB hosts and domain controllers, and feeding discovered HTTP services into Nuclei (an open-source vulnerability scanner) to generate prioritized target lists. BloodHound output files — used to map Active Directory relationships and attack paths — were also recovered from the exposed server, indicating the attacker was conducting full AD reconnaissance against compromised environments.
From there, the attack followed a well-documented playbook. The attacker used Meterpreter with the Mimikatz module to perform DCSync attacks against domain controllers, extracting NTLM password hashes from Active Directory. In confirmed compromises, they obtained complete domain credential databases. In at least one case, a Domain Administrator account used a plaintext password extracted from the FortiGate configuration through credential reuse — the same password set on both the firewall VPN and the domain's most privileged account.
Lateral movement followed using pass-the-hash and pass-the-ticket attacks, NTLM relay attacks with standard poisoning tools, and remote command execution on Windows hosts. The overall tool suite relied heavily on legitimate open-source offensive security tools — Impacket, gogo, Nuclei, and others widely used by professional penetration testers — which significantly limits the effectiveness of signature-based detection.
The Veeam Targeting
The attacker specifically targeted Veeam Backup & Replication servers, deploying multiple credential extraction tools including PowerShell scripts, compiled decryption utilities, and exploitation attempts against known Veeam vulnerabilities including CVE-2023-27532 and CVE-2024-40711. This is a pre-ransomware pattern: destroy or compromise backup infrastructure before deploying the ransomware payload, eliminating the victim's ability to recover without paying. Backup servers are high-value targets because they store elevated credentials for backup operations, and the accounts that back up domain controllers often have rights equivalent to domain administrators.
Amazon's report notes that the attacker's own operational documentation records repeated failures in the exploitation phase. Targeted services were patched, required ports were closed, vulnerabilities did not apply to the target OS versions. Their final assessment of one confirmed victim acknowledged that key infrastructure was "well-protected" with "no vulnerable exploitation vectors." When they hit resistance, they moved on.
Who Was Behind This
Amazon's formal assessment describes the threat actor as follows: financially motivated, Russian-speaking based on extensive Russian-language operational documentation, with low-to-medium baseline technical capability significantly augmented by AI. They can run standard offensive tools and automate routine tasks but cannot compile exploits, write original code without AI assistance, or creatively problem-solve during live operations. Their operational security was poor — detailed plans, credentials, and victim data were stored unencrypted alongside their tooling on publicly accessible infrastructure.
Critically, this actor has no known association with any state-sponsored advanced persistent threat group. This was not Sandworm. It was not Cozy Bear. It was very likely one person, or a handful of people, running what Amazon calls "an AI-powered assembly line for cybercrime."
"They are likely a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team." — CJ Moses, CISO, Amazon Integrated Security (AWS Security Blog, February 20, 2026)
Amazon shared indicators of compromise and actionable intelligence with industry partners during the campaign, collaborating to reduce the attacker's operational effectiveness and enable affected organizations to take defensive action.
Indicators of Compromise
Because this campaign relied almost entirely on legitimate open-source tools, traditional IOC-based detection has limited value. The presence of Impacket, gogo, or Nuclei on a network is not itself evidence of compromise — these are standard penetration testing tools. Organizations should prioritize behavioral detection over signature-based approaches.
That said, Amazon published two IP addresses associated with the threat actor's scanning and exploitation infrastructure, active throughout the campaign window:
| IOC Value | Type | First Seen | Last Seen | Description |
|---|---|---|---|---|
212[.]11.64.250 |
IPv4 | Jan 11, 2026 | Feb 18, 2026 | Scanning and exploitation operations |
185[.]196.11.225 |
IPv4 | Jan 11, 2026 | Feb 18, 2026 | Threat operations infrastructure |
Behavioral indicators to monitor include unexpected DCSync operations (Windows Event ID 4662 with replication-related GUIDs), new scheduled tasks named to mimic legitimate Windows services, unusual remote management connections originating from VPN address pools, LLMNR/NBT-NS poisoning artifacts in network traffic, unauthorized access to backup credential stores, and new accounts created with names designed to blend with legitimate service accounts.
What You Need to Do Right Now
If your organization runs FortiGate appliances, the actions below are not optional. The campaign window ran from January to February 2026, but the underlying vulnerabilities exploited here — exposed management interfaces, weak credentials, and absent MFA — remain open doors at organizations everywhere.
FortiGate Appliances
Verify that management interfaces are not reachable from the public internet. If remote administration is genuinely required, restrict access to specific known IP ranges and route it through a bastion host or out-of-band management network. Change all default and common credentials on every FortiGate appliance, covering both administrative accounts and VPN user accounts. Rotate all SSL-VPN user credentials, with priority given to any appliance whose management interface was or may have been internet-accessible. Enable multi-factor authentication for all administrative and VPN access. Review device configurations for unauthorized administrative accounts or policy changes. Audit VPN connection logs for connections originating from unexpected geographic locations.
Active Directory and Credential Hygiene
Audit specifically for password reuse between FortiGate VPN credentials and Active Directory accounts — this is how one confirmed victim had their Domain Administrator account compromised. Enforce unique, complex passwords on all accounts, with particular attention to Domain Administrator accounts and service accounts used in backup infrastructure. Rotate those service account credentials immediately if you cannot confirm they have not been exposed.
Backup Infrastructure
Isolate backup servers from general network access. Apply all available patches to backup software, with specific attention to known Veeam credential extraction vulnerabilities. Monitor backup servers for unauthorized PowerShell module loading. Implement immutable backup copies that cannot be modified even by accounts with administrative access — this is your last line of defense against a ransomware operator who has already compromised your backups.
Detection Priorities
Because IOC-based detection is limited here, the monitoring recommendations above become your primary detection mechanism. Configure alerting on DCSync operations, monitor VPN authentication logs for anomalous patterns, and watch for lateral movement originating from VPN address pools. Behavioral detection is the right answer when the attacker is using the same tools your own security team uses.
The Bigger Picture
This case is not just about FortiGate. It is a documented, verified proof of concept for the threat that has been discussed in theoretical terms for the past two years: commercial AI tools are lowering the technical barrier to entry for offensive cyber operations. An attacker who could not compile a custom exploit, could not debug a failed attack, and could not creatively adapt to resistance — that attacker just hit 600 organizations across 55 countries in less than six weeks. The operational logs recovered from the server show over 2,500 targets catalogued across more than 100 countries, suggesting the confirmed 600+ compromises represent only the successful fraction of a much broader scanning operation.
It is also worth noting what this actor could not do. They could not break through hardened defenses. They could not persist through sophisticated security controls. When they encountered an organization that had done its homework — patched systems, rotated credentials, enforced MFA, segmented its network — they moved on. Every organization that this actor skipped over was protected not by advanced threat intelligence or expensive tooling, but by fundamentals.
"Strong defensive fundamentals remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation, and robust detection for post-exploitation indicators." — CJ Moses, CISO, Amazon Integrated Security (AWS Security Blog, February 20, 2026)
Amazon is explicit that this trend will continue and grow in 2026 — from both unskilled actors using AI to punch above their weight, and skilled actors using AI to move faster and at greater scale than they could before. Moses also made an important point that is easy to overlook in coverage of this attack: AI is not only a weapon for attackers. It is equally powerful for defenders — helping security teams detect threats faster, automate response at scale, and stay ahead of evolving tactics. The same technology that enabled this campaign can and should be part of how organizations detect and respond to the next one.
The attack surface is the same as it always was. The attacker pool just got much larger. The answer, as it always has been, is not a single product or a single patch. It is a security posture built on consistent fundamentals: keep perimeter devices patched and their management interfaces off the internet, enforce MFA everywhere, never reuse credentials across systems, segment your network so that compromise of one device does not hand an attacker the keys to everything, and build detection around behavior rather than signatures. None of that requires AI. All of it works against an attacker who has it.
Key Takeaways
- AI is actively being used in live attacks right now. This is not a future scenario. Between January 11 and February 18, 2026, a threat actor used commercial AI tools — identified by independent researchers as DeepSeek and Anthropic's Claude Code — to compromise 600+ FortiGate devices across 55 countries. This is documented in full by Amazon Threat Intelligence.
- Technical sophistication is no longer a prerequisite for large-scale attacks. The actor behind this campaign had low-to-medium technical skills and could not adapt when standard approaches failed. AI handled the planning, tool development, and command generation — and in some configurations, Claude Code executed offensive tools autonomously. Scale no longer requires skill.
- No zero-days were needed. Every device in this campaign was compromised through exposed management interfaces and weak credentials — failures with available fixes. The attacker's own logs catalogued over 2,500 potential targets across more than 100 countries. If your management ports are exposed to the internet and your passwords are weak, you are on that list.
- Behavioral detection is now essential. This campaign relied on legitimate open-source tools — Impacket, Metasploit, Nuclei, gogo, BloodHound — that signature-based systems will not flag. Organizations need to monitor for anomalous behavior: DCSync operations, unusual VPN authentication patterns, lateral movement from VPN pools, unexpected PowerShell module loading on backup servers.
- Hardened targets were skipped. When the attacker hit organizations with proper security controls, they moved on. The attacker's own operational notes acknowledge "well-protected" targets with "no vulnerable exploitation vectors." Fundamentals are a real defense against AI-augmented threats.
The full Amazon Threat Intelligence report, including all defensive guidance and the complete IOC table, is available at the AWS Security Blog. If you run FortiGate devices in your environment, read it today.
- Moses, CJ. AI-augmented threat actor accesses FortiGate devices at scale. AWS Security Blog, Amazon Web Services, February 20, 2026. aws.amazon.com/blogs/security
- Toulas, Bill. AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries. The Hacker News, February 21, 2026. thehackernews.com
- Cyber and Ramen (anonymous researcher). LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices Across Continents. Cyber and Ramen Security Blog, February 21, 2026. cyberandramen.net
- Claburn, Thomas. AWS says 600+ FortiGate firewalls hit in AI-augmented attack. The Register, February 23, 2026. theregister.com
- Ilascu, Ionut. Amazon: AI-assisted hacker breached 600 FortiGate firewalls in 5 weeks. BleepingComputer, February 20, 2026. bleepingcomputer.com
- Amazon Threat Intelligence. Indicators of Compromise — campaign active January 11 to February 18, 2026. Published via AWS Security Blog, February 20, 2026.
- Fortinet. FortiGate SSL-VPN and management interface security guidance. fortinet.com
- CISA. Known Exploited Vulnerabilities Catalog. cisa.gov