ACCORDING to Amazon Threat Intelligence, a Russian-speaking, financially motivated threat actor used commercial generative AI services to compromise more than 600 FortiGate devices in 55 countries, with activity observed between 11 January and 18 February 2026. The attackers did not exploit FortiGate vulnerabilities; instead they abused exposed management ports and weak single-factor credentials to gain access.
Amazon Threat Intelligence’s report notes that the actor leveraged multiple commercial GenAI tools to automate and scale familiar attack techniques, and that AI-assisted scripts were used to parse and decrypt stolen data enabling VPN access, Active Directory compromise, credential dumping, and lateral movement toward targets such as Veeam backup servers.
Researchers found the tools included AI-generated reconnaissance software, and that the actor relied on several commercial LLMs for planning and code generation, creating a toolkit that resembled a full team’s output. After gaining domain control, the group used pass-the-hash and NTLM relay techniques, with some attempts to exploit CVEs noted but often failing beyond straightforward automated paths.
The piece, published by Pierluigi Paganini on Security Affairs on 23 February 2026, highlights that AI lowers the barrier for cybercrime and calls for robust patching, credential hygiene, segmentation, and detection.