FortigateSniffer
FortigateSniffer is a custom Golang-based credential-harvesting tool used in the FortiBleed campaign against compromised FortiGate firewalls since at least February 2026. It is also tracked as fg_sniffer and has been reported as compiled for both Linux and Windows, including fg_sniffer_linux_amd64 and fg_sniffer_windows_amd64.exe. Rather than relying on a traditional exploit payload for packet capture, the tool abuses the legitimate FortiOS diagnostic command "diagnose sniffer packet" to passively intercept authentication traffic traversing infected FortiGate appliances.
Reported capabilities include simultaneous monitoring of 24 protocols and parsing of authentication material from intercepted flows. Protocols explicitly mentioned in the reporting include Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, SMTP, FTP, MySQL, Microsoft SQL Server, PostgreSQL, Telnet, RPC, and TACACS+. The tool and associated processing pipeline were reported to extract plaintext usernames and passwords, NTLM/NTLMv2 hashes, Kerberos hashes and tickets, session cookies, tokens, email credentials, database credentials, and other authentication artifacts. Some reporting states that captured output was converted into PCAP/PCAPNG format and further analyzed by tooling referred to as SNIFTRAN and a PCAP Deep Analysis Toolkit.
Deployment occurred after attackers gained administrative or SSH access to FortiGate devices through brute force, credential stuffing, dictionary attacks, leaked credentials, and exploitation of unpatched FortiGate vulnerabilities. The malware was described as turning compromised firewalls into passive credential collectors positioned at the network boundary. Researchers reported geofencing and time-based execution controls, including activation only for certain IP ranges and operation during 07:00-18:00 Moscow time.
FortigateSniffer is associated in the reporting with the broader FortiBleed operation, which researchers assessed as likely run by a financially motivated initial access broker; some reporting notes possible Russian-speaking links, though attribution remains unconfirmed. Targeting was global across FortiGate devices, with emphasis on small and medium-sized organizations, especially in the United States and India, and notable interest in IT providers and managed service providers. The harvested credentials were reportedly fed into distributed cracking and validation infrastructure and then reused for lateral movement, Active Directory reconnaissance, SMB/network-share access, session hijacking, and potential resale of access for follow-on criminal or espionage activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Однако в мае схема усложнилась, и на устройства начали устанавливать написанный на Go инструмент FortigateSniffer. Этот сниффер злоупотребляет штатной командой FortiOS diagnose sniffer packet, предназначенной для диагностики сети, и пассивно прослушивает проходящий через брандмауэр трафик сразу 24 протоколов.
Однако в мае схема усложнилась, и на устройства начали устанавливать написанный на Go инструмент FortigateSniffer. Этот сниффер злоупотребляет штатной командой FortiOS diagnose sniffer packet, предназначенной для диагностики сети, и пассивно прослушивает проходящий через брандмауэр трафик сразу 24 протоколов.
Однако в мае схема усложнилась, и на устройства начали устанавливать написанный на Go инструмент FortigateSniffer. Этот сниффер злоупотребляет штатной командой FortiOS diagnose sniffer packet, предназначенной для диагностики сети, и пассивно прослушивает проходящий через брандмауэр трафик сразу 24 протоколов.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Однако в мае схема усложнилась, и на устройства начали устанавливать написанный на Go инструмент FortigateSniffer. Этот сниффер злоупотребляет штатной командой FortiOS diagnose sniffer packet, предназначенной для диагностики сети, и пассивно прослушивает проходящий через брандмауэр трафик сразу 24 протоколов.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
8 techniques
Credential Access
Traffic Harvesting: After gaining SSH access, a custom FortiGate sniffer captures sensitive traffic and extracts credentials and authentication hashes.
Однако в мае схема усложнилась, и на устройства начали устанавливать написанный на Go инструмент FortigateSniffer. Этот сниффер злоупотребляет штатной командой FortiOS diagnose sniffer packet, предназначенной для диагностики сети, и пассивно прослушивает проходящий через брандмауэр трафик сразу 24 протоколов.
The company says the threat actor deployed a credential-harvesting sniffer framework called "FortigateSniffer" on compromised FortiGate devices after first gaining administrative access via credential stuffing and brute-force attacks.
The researchers say the threat actor behind this campaign serves as an initial access broker (IAB), using credential stuffing, brute-force attacks, credential harvesting, and offline password cracking to obtain access to corporate networks.
Сниффер похищает пароли в открытом виде, NTLM- и Kerberos-хеши, тикеты, токены и другие аутентификационные данные.
Once sniffed, the raw SSH terminal output is converted into .pcapng format by the SNIFTRAN engine, then processed through a PCAP Deep Analysis Toolkit (v5.0) that extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies.
Discovery
3 techniques
Discovery
Once successful credentials are recovered, they can be weaponized for lateral movement, Active Directory reconnaissance, Kerberos verification, SMB authentication, and further network expansion...
Однако в мае схема усложнилась, и на устройства начали устанавливать написанный на Go инструмент FortigateSniffer. Этот сниффер злоупотребляет штатной командой FortiOS diagnose sniffer packet, предназначенной для диагностики сети, и пассивно прослушивает проходящий через брандмауэр трафик сразу 24 протоколов.
A structured, multi-stage attack chain is employed in the attack chain, beginning with large-scale internet reconnaissance, which involves the use of scanning utilities and customized filtering tools for the detection and categorization of FortiGate systems by location.
Lateral Movement
4 techniques
Lateral Movement
Once successful credentials are recovered, they can be weaponized for lateral movement, Active Directory reconnaissance, Kerberos verification, SMB authentication, and further network expansion...
Using persistent SSH access, FortigateSniffer harvests authentication data while recovering hashed passwords are transferred to a dedicated cracking platform using distributed processing and automated task orchestration.
Analysis showed that once FortiGate appliances were compromised, attackers deployed FortigateSniffer to covertly collect authentication traffic traversing the devices, allowing them to acquire both cleartext credentials and password hashes that were subsequently cracked, validated, and reused against Active Directory environments, VPN gateways, and other externally accessible enterprise services.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom Go-based sniffer deployed on compromised FortiGate devices. It abuses the built-in FortiOS packet sniffing command to passively capture traffic across multiple protocols and steal plaintext passwords, NTLM and Kerberos hashes, tickets, tokens, session cookies, and other authentication material for later credential cracking and network access.
A custom Golang credential-harvesting tool used on compromised FortiGate firewalls to sniff live network traffic, extract usernames, passwords, password hashes, and replayable authentication material from multiple protocols.
A custom Golang-based credential interception utility deployed on compromised FortiGate firewalls. It leverages native FortiOS packet diagnostic capabilities to passively capture authentication traffic, extract cleartext credentials, NTLMv2 hashes, Kerberos tickets, session cookies, and other authentication artifacts, then supports cracking, validation, and reuse of recovered credentials for lateral movement and further access.
A Golang-based bespoke sniffer deployed on compromised FortiGate firewalls to passively capture authentication traffic, parse credentials across multiple protocols, and extract cleartext credentials and password hashes for reuse and lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.