A low-skilled cyber threat actor has been observed leveraging several GenAI tools to deploy a campaign aimed at compromising Fortinet’s FortiGate firewall appliances, according to Infosecurity Magazine. The campaign ran from 11 January to 18 February 2026 and compromised over 600 FortiGate devices across more than 55 countries.
AWS Threat Intelligence assessed that the attacker was a Russian-speaking, financially motivated actor with limited technical capabilities, using multiple commercial GenAI services to implement and scale attack techniques in every phase. The group conducted operations such as scanning for exposed FortiGate management interfaces, developing AI-assisted scripts, and deploying a post-access reconnaissance tool written in Go and Python, with AI-generated code noted by Amazon Threat Intelligence.
The report also notes that AWS infrastructure was not involved and no FortiGate vulnerabilities were exploited. The mitigation guidance highlights patch management for perimeter devices, credential hygiene, network segmentation and post-exploitation detection, with the AWS Security blog providing a longer list of defensive steps.