Hackers Use DeepSeek and Claude To Launch Global Attack On FortiGate Devices

In early February 2026, researchers discovered a misconfigured server at 212.11.64.250:9999 exposing over 1,400 files from an active intrusion campaign targeting FortiGate firewalls worldwide This article explores directly hackers. . The server, which was hosted by Global-Data System IT Corporation in Switzerland, exposed Active Directory information, stolen configurations, and AI-generated attack plans that had an impact on victims in at least five different countries, including a Turkish telecom, an Asian media company, and an Asia-Pacific gas company.

This stood out because, from January to February 2026, a single, unskilled operator was able to scale attacks across more than 600 devices in 55 countries by integrating large language models like DeepSeek and Anthropic's Claude directly into the hackers' workflow.

Instead of using zero-days, this financially motivated, Russian-speaking actor took advantage of weak credentials on open management ports (443, 8443, 10443, 4443). The FortiGate configurations were useful because they contained admin information, network topologies, LDAP binds, and VPN credentials. These were decrypted using scripts that took advantage of CVE-2019-6693.

IP Address Domain ASN 212.11.64.250:9999 N/A Global-Data System IT Corporation 185.196.11.225 N/A Global-Data System IT Corporation CVEs CVEs were observed. ZKSoftware biometric (telnet) CVE-2026-24061 is the targeted technology role. Bypassing physical security CVE-2025-33073 SMB Windows privilege escalation CVE-2023-27532 Veeam Backup & Replication Credential extraction CVE-2019-7192 QNAP NAS Network storage access CVE-2019-6693 Fortinet configs Password decryption