Amazon security specialists have disclosed a large-scale, targeted campaign against FortiGate firewalls in which a Russian-speaking threat actor compromised more than 600 devices across 55 countries in just five weeks. The operation stands out because the attacker systematically used generative AI and large language models (LLMs) not only to write tools, but also to plan follow-on actions inside victim networks.
Scope and Timeline of the FortiGate Firewall Attacks
According to CJ Moses, vice president of Amazon Security, the malicious campaign ran from 11 January to 18 February 2026. Victims were located in South Asia, Latin America, Africa, Europe and other regions, with a clear focus on organizations exposing FortiGate management and VPN interfaces directly to the internet.
The attacker did not rely on zero-day vulnerabilities or sophisticated exploit chains. Instead, the entire intrusion set was built around a long-standing weakness: publicly accessible admin panels and VPN portals protected by weak passwords and no multi-factor authentication (MFA). This mirrors a broader industry trend where misuse of valid credentials accounts for a large share of successful breaches.
Attack Chain: Exposed Interfaces, Brute Force and Configuration Theft
The threat actor conducted wide internet scanning to identify FortiGate VPN and administration interfaces, paying particular attention to ports 443, 8443, 10443 and 4443. Once a target was identified, the attacker launched brute-force password attacks, attempting common and weak passwords until an administrator account was successfully compromised.
After gaining access, the intruder systematically exfiltrated the FortiGate configuration, including SSL-VPN credentials, administrator passwords, firewall policies, network topology and routing information, and IPsec VPN settings. These configurations provide a complete map of the victim’s environment and are often enough to plan lateral movement without further on-box exploitation.
The stolen data was processed using Python and Go scripts generated by LLMs, which parsed configurations, extracted high-value targets and built structured lists for subsequent operations inside each network.
How Generative AI Powered the FortiGate Intrusion Toolkit
Amazon’s analysis found clear signs that the attacker’s tools were generated or heavily assisted by AI. The code contained excessive comments, redundant function names, oversimplified architectures focused on formatting and naive JSON handling via string matching instead of proper deserialization. Many helper functions existed as undocumented stubs.
Despite their mediocre quality, these tools were effective. They automated configuration analysis, target selection and data preparation for follow-on attacks. Amazon assesses the operator’s technical skill as “low to medium”, but notes that generative AI significantly compensated for gaps in expertise by rapidly producing functional scripts and playbooks.
Lateral Movement: From VPN Access to Domain Controllers and Backups
With VPN access in hand, the attacker deployed custom reconnaissance tools in Go and Python inside victim networks. Operational documentation in Russian described using Meterpreter and Mimikatz to perform DCSync attacks against Windows domain controllers, extracting NTLM hashes from Active Directory to escalate privileges and move laterally.
The attacker showed a particular interest in Veeam Backup & Replication servers, a frequent target in modern ransomware campaigns. By compromising backup infrastructure, adversaries can disable or encrypt recovery points before deploying ransomware, drastically increasing pressure on victims. Although Amazon’s public report does not confirm a final ransomware stage, the observed behavior closely aligns with standard ransomware preparation.
Attacker Infrastructure: ARXON MCP Server, CHECKER2 Scanner and LLM Orchestration
Additional insights came from an independent researcher writing on the Cyber and Ramen blog, who located a misconfigured server operated by the attacker. The system contained 1,402 files, including stolen FortiGate configurations, Active Directory mapping data, credential dumps, vulnerability reports and detailed attack plans.
On this server, investigators found a custom MCP server called ARXON, which acted as a bridge between exfiltrated data and commercial LLMs such as DeepSeek and Claude. ARXON ingested data from compromised devices and generated structured, step-by-step action plans, effectively turning the LLMs into advisers on lateral movement and privilege escalation.
The infrastructure also hosted a Go-based orchestrator known as CHECKER2, running in Docker containers and used for highly parallel scanning of thousands of VPN targets. Logs referenced more than 2,500 potential targets in over 100 countries, underscoring the level of automation behind the reconnaissance effort.
Autonomous LLM Decision-Making and Tool Execution
In some scenarios, Claude Code was configured in an autonomous mode, initiating tools such as Impacket, Metasploit and hashcat without explicit confirmation from the operator. In one documented case, the attacker supplied the model with full network topology information, including IP ranges, hostnames and passwords, and requested a detailed plan for lateral movement.
This illustrates a significant shift: LLMs are being used not only to generate code, but to make tactical decisions in real time during intrusions. When encountering hardened or fully patched environments, the attacker typically abandoned attempts and moved on to softer targets, reinforcing the assessment that AI was compensating for limited personal expertise.
The FortiGate incident highlights how quickly the threat landscape is evolving: even relatively unskilled actors can now run global campaigns by pairing exposed infrastructure with generative AI. Organizations should respond by tightening basic security hygiene around perimeter devices — disabling direct internet access to FortiGate admin consoles, enforcing MFA on all VPN and administrative access, rotating strong passwords, and keeping firmware fully updated. Equally important are network segmentation, strict controls over VPN and backup systems, continuous monitoring and rapid anomaly detection. Defenders that redesign their security programs with AI-assisted attacks in mind will significantly reduce the window of exposure and the likelihood that a single misconfigured firewall becomes the starting point for a catastrophic breach.
