SantaAd

SantaAd is a Russian-speaking initial access broker (IAB) active on the Exploit cybercrime forum and associated in reporting with the 2026 FortiBleed campaign. Multiple sources in the provided content link or trace the operation to the handle SantaAd, although Palo Alto Networks Unit 42’s attribution is explicitly noted as unconfirmed by other researchers. SantaAd publicly implied responsibility by advertising Fortinet-related access, referencing public FortiBleed reporting, and raising auction prices. The activity described is financially motivated and oriented toward resale of validated access rather than espionage. Reported targets included internet-facing Fortinet FortiGate devices at scale, with broader targeting of Synology NAS devices, Sophos firewalls, RDWeb portals, Citrix SSL-VPN, exposed RDP instances, and MS-SQL servers. Victim organizations spanned 194 countries, with many targets being companies with fewer than 200 employees; IT providers and managed service providers were also prioritized in some reporting because of downstream access value. Reported tactics and techniques included internet-wide scanning using Masscan, Shodan, and custom tooling; brute-force and dictionary attacks against administrative panels, SSL-VPN, SSH, and MSSQL; use of credentials from prior leaks; and exploitation of old or unpatched FortiGate vulnerabilities. In the FortiBleed reporting, compromised FortiGate devices were used to deploy a custom Go-based sniffer called FortigateSniffer, which abused the legitimate FortiOS command "diagnose sniffer packet" to capture traffic and steal plaintext passwords, NTLM hashes, Kerberos material, tickets, tokens, and session cookies. Captured authentication material was reportedly processed through distributed cracking infrastructure using Hashcat/Hashtopolis and rented GPUs, then validated and used for lateral movement, Active Directory reconnaissance, access to network shares, and maintenance of access via stolen session cookies. The content also describes operator tooling and workflow consistent with a mature access-brokering operation: dedicated brute-force infrastructure, separate cracking infrastructure, disposable Kali Linux virtual machines, custom scripts, OpenConnect/OpenFortiVPN, Impacket, and reported use of AI-assisted development tooling including Cursor and the CyberStrike framework. SantaAd’s forum activity reportedly included sales or auctions for thousands of Fortinet admin panels and large Fortinet credential datasets, including posts advertising 80,000 rows of Fortinet devices and an auction for nearly 7,000 Fortinet devices.