By rssfeeds-admin 
The server, hosted by Global-Data System IT Corporation in Switzerland, revealed stolen configurations, Active Directory data, and AI-generated attack plans affecting victims in at least five countries, including an Asia-Pacific gas company, a Turkish telecom, and an Asian media firm.
What set this apart was the integration of large language models like DeepSeek and Anthropic’s Claude directly into the hackers’ workflow, enabling a single low-skilled operator to scale attacks across 600+ devices in 55 countries from January to February 2026.
This Russian-speaking, financially motivated actor did not rely on zero-days; instead, they exploited weak credentials on exposed management ports (443, 8443, 10443, 4443).
FortiGate configs proved valuable, containing VPN credentials, network topologies, LDAP binds, and admin details, which were decrypted via scripts exploiting CVE-2019-6693.
Historical scans showed a prior exposure in December 2025 on the same IP, using HexStrike. This open-source MCP framework enables LLMs to run pentest tools such as Impacket and Metasploit autonomously.
By February, the actor evolved to use custom tools: ARXON (Python MCP server) and CHECKER2 (Go-based Docker orchestrator), processing 2,516 targets across 106 countries in parallel batches.
![Attack Capture view of the suspicious open directory at 212.11.64[.]250:9999 (Source: cyberandramen)](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw== "Hackers Use Deepseek And Claude To Launch Global Attack On Fortigate Devices 7")
Discovery and Attack Chain
Hunt.io’s Attack Capture flagged the SimpleHTTP server running Python 3.13.9, with folders like “claude” containing 200+ files of Claude Code outputs, prompts, and settings that pre-approve offensive tool execution without prompts.
One chain started with a FortiGate-40F branch office compromise via a read-only “Technical_support” account, extracting backups that mapped HQ networks, guest subnets, SSL VPN users (50 accounts listed by name/ID), and domain controllers.
LDAP bind creds decrypted easily, enabling FortiSSL VPN access for internal recon using Nuclei templates and BloodHound.
Recon data fed into ARXON, which bridged to DeepSeek for attack plans and Claude for live vulnerability assessments like targeting QNAP NAS (CVE-2019-7192) and Veeam servers (CVE-2023-27532) with SMB signing off, NTLM relay via Impacket’s ntlmrelayx.py, and Metasploit modules.
A February 1 report, generated mid-intrusion (noted 400ms RTT to Asia-Pacific target), prioritized Veeam RCE, forced auth, and further scans, showing Claude executing tools autonomously.
CHECKER2 orchestrated scans from 185.196.11.225, deploying 102MB FortiGate archives for batch VPN probing and ARXON handoff.
Custom Tools and Evolution
ARXON maintained a growing knowledge base per target, generating plans from recon while scripting SSH backdoors, VPN provisioning, and Domain Admin validation.
Claude settings from December hardcoded Asian media creds for psexec.py, secretsdump.py, and hashcat, distinct from live reports.
The evolution from HexStrike to these customs took eight weeks, shifting semi-manual ops to automated, global-scale operations without advanced skills. A deepseek_attack_plan.py hinted at new tactics, such as CVE-2026-24061 on ZKSoftware biometrics via telnet bypass.
Post-exploitation hit AD via DCSync/mimikatz for full credential dumps, lateral moves with pass-the-hash, and backup targeting foiled often by patches or configs, prompting target switches. AWS notes AI hallmarks in tools: redundant comments, naive parsing, and showing unrefined generation.
According to Cyber and Ramen, defenders must audit exposed FortiGates, enforce MFA/credential rotation, isolate backups, and monitor VPN logs, DCSync (Event ID 4662), and anomalous PowerShell fundamentals trumping AI speed.
| IP Address | Domain | ASN |
|---|---|---|
| 212.11.64.250:9999 | N/A | Global-Data System IT Corporation |
| 185.196.11.225 | N/A | Global-Data System IT Corporation |
Observed CVEs
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Use DeepSeek and Claude To Launch Global Attack On FortiGate Devices appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.