Amazon recently issued a security warning stating that in just five weeks, a Russian-speaking hacker used a variety of generative AI services to launch a large-scale intrusion into Fortinet FortiGate firewalls and successfully compromised more than 600 devices in 55 countries.

CJ Moses, Chief Information Security Officer of Amazon's Integrated Security Department, disclosed in the latest report that this round of attacks occurred between January 11 and February 18, 2026. The attackers did not exploit zero-day vulnerabilities, but focused on FortiGate management interfaces exposed on the Internet, combined with weak passwords and accounts lacking multi-factor authentication to carry out intrusions, and further used AI automation to break through other devices in the victim network. The report shows that these compromised firewalls are distributed in multiple regions such as South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. The target selection is obviously opportunistic rather than targeting specific industries.

Amazon said its security team uncovered the overall framework of the operation after discovering a server used to deliver malicious tools specifically to attack FortiGate firewalls. Hackers first scan ports 443, 8443, 10443, and 4443 to find the FortiGate management interface exposed on the public network, and then use common weak passwords to brute force to gain access instead of exploiting known or unknown vulnerabilities related to FortiGate.

After successfully invading the device, the attacker will export the device configuration file and obtain key data such as SSL-VPN user credentials (including recoverable passwords), management accounts, access control policies and internal network architecture, IPsec VPN configuration, network topology and routing information. These configuration files were then parsed and decrypted by tools, and the source code of these tools showed clear traces of AI-assisted development, such as redundant comments in custom reconnaissance programs written in Python and Go, simple architecture but too much effort in formatting, using string matching instead of canonical JSON deserialization, and writing compatibility layers for built-in language features but leaving empty documentation. Amazon pointed out that these tools can barely meet the specific needs of attackers, but often fail in complex or well-fortified environments and lack robustness. This is also a typical manifestation of "AI-generated code that has not been deeply polished."

These automated tools were used to conduct in-depth reconnaissance of compromised networks, including analyzing routing tables, classifying networks by size, performing port scans using the open source gogo scanner, identifying SMB hosts and domain controllers, and looking for HTTP services and potential vulnerabilities with the help of Nuclei tools. Investigators found that when attackers encounter systems that have been patched in a timely manner or have been strictly hardened, but cannot break through after repeated attempts, they will abandon these targets and instead look for more vulnerable systems to attack.

Later in the attack chain, researchers discovered operational documentation written in Russian on the attacker's server detailing how to use Meterpreter and mimikatz to conduct a DCSync attack on a Windows domain controller to export NTLM password hashes from an Active Directory database. Additionally, attackers specifically targeted Veeam Backup & Replication backup servers, using custom PowerShell scripts and compiled credential extraction tools to attempt to exploit Veeam-related vulnerabilities in order to compromise or take control of the backup infrastructure before a subsequent possible ransomware attack.

On a server discovered by Amazon with IP 212[.]11.64.250, the security team located a PowerShell script named "DecryptVeeamPasswords.ps1" that was used to decrypt and abuse credentials in Veeam backup systems. The report pointed out that the attackers repeatedly mentioned in the so-called "combat notes" that they were trying to exploit multiple vulnerabilities, including QNAP remote code execution vulnerability CVE-2019-7192, Veeam information disclosure vulnerability CVE-2023-27532, and Veeam remote code execution vulnerability CVE-2024-40711, etc.

Amazon believes that the overall technical level of this threat actor is "low to moderate", but its attack capabilities are significantly amplified through the extensive use of generative AI services. Researchers noted that the attackers used at least two large-scale language model services throughout the operation to generate step-by-step attack methodologies, write multi-language custom scripts, build reconnaissance frameworks, plan lateral movement paths, and write internal operational documentation. In some cases, attackers even submitted the complete internal network topology (including IP addresses, hostnames, credentials, and known services) to the AI ​​service, requesting recommendations on how to expand further within the network.

Amazon emphasized that this event clearly demonstrated that commercial AI services are lowering the threshold for cyber attacks, allowing low-experience attackers who would otherwise have difficulty completing complex intrusions independently to launch large-scale, multinational operations. To combat this type of threat, Amazon recommends that FortiGate administrators avoid exposing management interfaces to the public network, enable multi-factor authentication for key accounts, ensure that VPN passwords are out of sync with Active Directory account passwords, and focus on hardening backup systems. Amazon’s observations echo recent reports from Google that hackers are leveraging Gemini AI throughout all stages of a cyberattack, from initial reconnaissance to post-intrusion operations.

Roughly coincident with the Amazon report, the security blog "Cyber ​​and Ramen" published an independent study revealing more technical details of attackers embedding AI and large language models directly into the intrusion process. The researcher found that the aforementioned misconfigured server 212.11.64[.]250 exposed 1,402 files and 139 subdirectories, which not only included stolen FortiGate configuration backups, Active Directory mapping data, credential dumps, vulnerability assessment results and attack planning documents, but also contained a large number of artefacts related to AI interactions.

Researchers pointed out that the server is located in Zurich, Switzerland and is hosted by AS4264 (Global-Data System IT Corporation). Its directory structure contains CVE exploit code, FortiGate configuration files, Nuclei scanning templates, and Veeam credential extraction tools. It is worth noting that two of the folders named "claude-0" and "claude" contain a total of more than 200 files, including Claude Code's task output, session differences, and cached prompt word status, indicating that there is continuous and systematic interaction between the attacker and commercial AI tools. Another folder named "fortigate_27.123 (full IP desensitized)" saves configuration data and credential information suspected to be from a compromised FortiGate device.

Further analysis also found that the attacker built a custom Model Context Protocol (MCP) server named "ARXON" as a "bridge" between reconnaissance data and commercial large models. The researchers did not find any information about ARXON in public channels, and speculated that the framework was most likely developed by the attackers themselves. In this architecture, the MCP server is responsible for receiving data extracted from the victim network and FortiGate devices, inputting it into a large language model, and then connecting the output generated by the model to other attack tools for automated post-exploitation analysis and attack planning.

In addition to ARXON, researchers also discovered a Go language tool called CHECKER2, which is deployed in Docker and used to scan massive VPN targets in parallel. Logs show that the tool scanned more than 2,500 potential targets in more than 100 countries, reflecting the broad coverage of the attack. Reconnaissance data collected from compromised FortiGate units and internal networks will allegedly be fed into ARXON, which uses large models such as DeepSeek and Claude to generate a structured attack plan, including how to gain domain administrator privileges, where to prioritize high-value credentials, recommended steps for exploitation, and specific paths for lateral penetration within the network.

In some scenarios, Claude Code is even configured to directly execute attack tools, such as Impacket scripts, Metasploit modules, hashcat, etc., without the attacker having to confirm the instructions one by one. The researchers noticed that within a few weeks, the attack system underwent significant evolution: initially the attackers relied on the open source HexStrike MCP framework, and about eight weeks later transitioned to a more automated ARXON system customized for their own needs to further improve the efficiency of large-scale intrusions.

In its conclusion, the independent report agrees with Amazon's assessment: Generative AI actually played the role of a "multiplier" in this operation, allowing attackers to quickly expand the scale and complexity of their attacks with limited technical capabilities. The researchers also remind defenders that they should prioritize patching border devices, restrict and monitor SSH access, and regularly audit abnormal VPN account creation behaviors to deal with this type of automated intrusion using AI.

Additionally, CronUp security researcher Germán Fernández discovered a different server with an exposed directory that appeared to contain AI-generated attack tools targeting FortiWeb appliances. Although these tools have not yet been confirmed to be directly involved in this FortiGate attack, this discovery once again highlights that threat actors continue to explore new ways to use AI tools to expand their attack capabilities.