More than 600 FortiGate devices spread across 55 countries have been compromised by a Russian-speaking, profit-driven threat actor using commercial generative artificial intelligence (AI) services. The activity was observed between January 11 and February 18, 2026, according to new findings from Amazon Threat Intelligence. According to a report by CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, "no exploitation of FortiGate vulnerabilities was observed—instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale."

By using a number of commercial generative AI tools to carry out different stages of the attack cycle, including tool development, attack planning, and command generation, the tech giant was able to overcome the threat actor's limited technical capabilities. The attackers used a second AI tool as a backup to help them pivot within a particular compromised network, even though the first AI tool was the main backbone of the operation. South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia have all been found to have compromised clusters.

According to the company, "the threat actor deploys a custom reconnaissance tool, with different versions written in both Go and Python, after VPN access to victim networks."

"An examination of the source code shows obvious signs of AI-assisted development, including naive JSON parsing using string matching instead of appropriate deserialization, simple architecture with an excessive amount of formatting investment over functionality, compatibility shims for language built-ins with blank documentation stubs, and redundant comments that simply restate function names." The following is a list of additional actions the threat actor took after the reconnaissance phase: - Use DCSync attacks to compromise the domain. Use remote command execution on Windows hosts, NTLM relay attacks, and pass-the-hash/pass-the-ticket attacks to move laterally across the network.

Use credential harvesting tools and programs to target Veeam Backup & Replication servers in order to take advantage of known Veeam vulnerabilities (such as CVE-2023-27532 and CVE-2024-40711).