A low-skilled cyber threat actor has been observed leveraging several generative AI (GenAI) tools to deploy a malicious campaign aimed at compromising Fortinet’s FortiGate firewall appliances.
In an Amazon Web Services (AWS) Security blog published on February 20, CJ Moses, CISO of Amazon Integrated Security, shared findings about the campaign.
Amazon Threat Intelligence assessed that the attacker was a Russian-speaking, financially motivated threat actor with limited technical capabilities.
The threat actor used multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operation.
AWS assessed the campaign ran from January 11 to February 18, 2026, and compromised over 600 FortiGate devices across more than 55 countries.
Amazon Threat Intelligence noted that AWS infrastructure was not involved in this campaign and that no exploitation of FortiGate vulnerabilities was observed.
FortiGate Compromise: Attack Workflow Explained
This campaign was deemed opportunistic rather than targeted.
The threat actor scanned FortiGate management interfaces exposed to the internet and tried gaining access to them using commonly reused credentials.
They developed AI-assisted Python scripts to parse, decrypt and organize these stolen configurations.
Once VPN access to victim networks was gained, the threat actor deployed a custom reconnaissance tool, also likely developed with the use of AI services, with different versions written in both Go and Python.
Indicators of AI involvement in this tool included redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization and compatibility shims for language built-ins with empty documentation stubs.
“While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases – characteristics typical of AI-generated code used without significant refinement,” Moses noted.
The post-VPN reconnaissance access tool workflow performed tasks such as ingesting target networks from VPN routing tables, classifying networks by size, running service discovery using gogo, an open-source port scanner, automatically identifying SMB hosts and domain controllers and integrating vulnerability scanning using Nuclei, an open-source vulnerability scanner, against discovered HTTP services to produce prioritized target lists.
Once inside victim networks, the threat actor followed a standard approach leveraging well-known open-source offensive tools, including:
- Domain compromise using Meterpreter, an open-source post-exploitation toolkit, with the Mimikatz module to perform DCSync attacks against domain controllers, allowing the actor to extract NTLM password hashes from Active Directory
- Lateral movement by attempting to expand access through pass-the-hash/pass-the-ticket attacks against additional infrastructure, NTLM relay attacks using standard poisoning tools and remote command execution on Windows hosts
- Backup infrastructure targeting by deploying multiple tools for extracting credentials, including PowerShell scripts, compiled decryption tools and exploitation attempts leveraging known vulnerabilities in Veeam Backup & Replication servers
- Limited exploitation success (e.g. CVE-2019-7192, CVE-2023-27532, CVE-2024-40711)
“However, a critical finding from this analysis is that the threat actor largely failed when attempting to exploit anything beyond the most straightforward, automated attack paths. Their own documentation records repeated failures: targeted services were patched, required ports were closed, vulnerabilities didn’t apply to the target OS versions,” Moses wrote.
Threat Actor’s Multifaceted Use of GenAI
The Amazon Threat Intelligence analysis revealed that the actor used at least two distinct commercial large language model (LLM) providers throughout their operations.
It used AI for multiple tasks, including:
- Attack planning: generate comprehensive attack methodologies complete with step-by-step exploitation instructions, expected success rates, time estimates and prioritized task trees
- Multi-model operational workflow: for instance, one model served as the primary tool developer, attack planner, and operational assistant, while a second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network
- Compromise planning tool: in one observed instance, the actor submitted the complete internal topology of an active victim (IP addresses, hostnames, confirmed credentials, and identified services) and requested a step-by-step plan to compromise additional systems they could not access with their existing tools
- Infrastructure building: beyond the reconnaissance framework, the actor’s infrastructure contains numerous scripts in multiple programming languages bearing hallmarks of AI generation, including configuration parsers, credential extraction tools, VPN connection automation, mass scanning orchestration and result aggregation dashboards
Amazon Threat Intelligence said it expects cybercriminals with low-to-medium skill levels to continue leveraging commercial AI tools for malicious purposes in 2026.
“Strong defensive fundamentals remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation and robust detection for post-exploitation indicators,” outlined Moses.
The AWS Security blog also provided defenders with a long list of mitigation recommendations built around four pillars: FortiGate appliance audit, credential hygiene, post-exploitation detection and backup infrastructure hardening.
Read now: Low-Skilled Cybercriminals Use AI to Perform “Vibe Extortion” Attacks
