{"id":10893,"date":"2026-02-24T10:03:40","date_gmt":"2026-02-24T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/24\/hackers-leverage-deepseek-and-claude-to-attack-fortigate-devices-worldwide\/"},"modified":"2026-02-24T10:03:40","modified_gmt":"2026-02-24T10:03:40","slug":"hackers-leverage-deepseek-and-claude-to-attack-fortigate-devices-worldwide","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/24\/hackers-leverage-deepseek-and-claude-to-attack-fortigate-devices-worldwide\/","title":{"rendered":"Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide"},"content":{"rendered":"<p>    Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>In early February 2026, a significant cybersecurity threat emerged involving the sophisticated use of Large Language Models (LLMs) in active intrusion campaigns. <\/p>\n<p>A misconfigured server exposed a detailed software pipeline where threat actors integrated DeepSeek and Claude into their attack workflows. <\/p>\n<p>This discovery highlights a dangerous evolution in modern cybercrime, where AI tools are not just generating text but are embedded into the kill chain to automate complex offensive tasks against global targets.<\/p>\n<p>The attack infrastructure specifically targeted FortiGate SSL VPN appliances, utilizing stolen configuration data to breach networks effectively. <\/p>\n<p>By leveraging these <a href=\"https:\/\/cybersecuritynews.com\/best-5-compromised-credentials-tools\/\" id=\"121089\" target=\"_blank\" rel=\"noreferrer noopener\">compromised credentials<\/a>, the operators successfully mapped internal infrastructures and identified critical assets. <\/p>\n<p>The operation utilized custom-built tools to orchestrate these attacks, allowing for the simultaneous processing of thousands of targets without requiring manual intervention for every step of the intrusion process.<\/p>\n<p>Evidence indicates that over 2,500 devices across 106 countries were processed in parallel batches. <\/p>\n<p><a href=\"https:\/\/cyberandramen.net\/2026\/02\/21\/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents\/\" id=\"https:\/\/cyberandramen.net\/2026\/02\/21\/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Cyber and Ramen analysts identified that the threat actors utilized a dual-model<\/a> approach, using DeepSeek to generate strategic attack plans based on reconnaissance data while employing Claude\u2019s coding capabilities to execute vulnerability assessments. <\/p>\n<p>This level of automation enabled even low-skilled operators to manage a massive volume of intrusions efficiently.<\/p>\n<h2 class=\"wp-block-heading\" id=\"automated-exploitation-workflow\"><strong>Automated Exploitation Workflow<\/strong><\/h2>\n<p>The core of this operation relies on two custom components named ARXON and CHECKER2. CHECKER2 functions as a Docker-based orchestrator that handles parallel VPN scanning, while ARXON acts as a Model Context Protocol (MCP) server. <\/p>\n<p>This bridge allows the attackers to feed specific network data into the LLMs, which then output actionable exploitation steps. For instance, the intrusion chain diagram\u00a0illustrates how the system moves from initial access to active exploitation.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZv-JquUSx3iS0RPfCtpzddSbTxDAcp09rWEZQW3RI9p7pvvCsQuNPyt7k-0Vo0teMcVtGSvxIvCg0i-rfswEyTv8zcHhKEVYKERtFinnf7ASOAWEkqE2oNrdImjxs5Tht3G0_NWqseP5due_d-4SiIm6TV75kAnukHE7YTTtG8b9KI0V83C4aiGpB1tQ\/s16000\/Intrusion%2520chain%2520%28Source%2520-%2520Cyber%2520and%2520Ramen%29.webp?ssl=1\" alt=\"Intrusion chain (Source - Cyber and Ramen)\"><figcaption class=\"wp-element-caption\">Intrusion chain (Source \u2013 Cyber and Ramen)<\/figcaption><\/figure>\n<\/div>\n<p>Once inside a network, the system uses Claude to run <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-exploit-ai-llm-tools\/\" id=\"106147\" target=\"_blank\" rel=\"noreferrer noopener\">offensive tools<\/a> like Impacket and Metasploit autonomously.\u00a0<\/p>\n<p>While the redacted snippet of the vulnerability assessment report found on the server\u00a0displays how the model documents its findings and suggests prioritized next steps, such as escalating privileges. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglYkhuGz_V7nKjMUDfeYCDksxwj5CIsJAB2t_Oz2vZ4nB_inUCYGeSzPAJt5gMmD1ZMeBeIXLBvM0cvbVQS_c0yseEnoJU9YUeaSUXCjsbPWK-WM5f7tuKbBYgGSdhK44e1r8AmWAw01rjf6zvdReznlnYd6qDkGcO2897poI8uPzYEA73lKSxm9QUvj0\/s16000\/Redacted%2520snippet%2520of%2520the%2520vulnerability%2520assessment%2520report%2520found%2520on%2520the%2520server%2520%28Source%2520-%2520Cyber%2520and%2520Ramen%29.webp?ssl=1\" alt=\"Redacted snippet of the vulnerability assessment report found on the server (Source - Cyber and Ramen)\"><figcaption class=\"wp-element-caption\">Redacted snippet of the vulnerability assessment report found on the server (Source \u2013 Cyber and Ramen)<\/figcaption><\/figure>\n<\/div>\n<p>The exposed logs confirm that this automated system is actively targeting diverse sectors, including telecommunications.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi0q_2TklXewyZg16WkFvfZ7mrb3hgvNNv2GnGUYuFJVhci79_p2_MbZE2a9e0hlqqhQfBrvZhOKr9O2_e1PMab5B9u85OCJnpxALkaGtOPkZ5TCTdMjOFA_KVTYs9-_KRtMA0nnR48txlY0gU854a7ss-eTMlefEl2Y3NwaXpgYJzwbmUQZMyH8r0UVaU\/s16000\/Snippet%2520of%2520the%2520contents%2520of%2520deploy_output.log%2520showing%2520thousands%2520of%2520targets%2520across%2520the%2520world%2520%28Source%2520-%2520Cyber%2520and%2520Ramen%29.webp?ssl=1\" alt=\"Snippet of the contents of deploy_output.log showing thousands of targets across the world (Source - Cyber and Ramen)\"><figcaption class=\"wp-element-caption\">Snippet of the contents of deploy_output.log showing thousands of targets across the world (Source \u2013 Cyber and Ramen)<\/figcaption><\/figure>\n<\/div>\n<p>To mitigate these <a href=\"https:\/\/cybersecuritynews.com\/ai-powered-cyber-threats\/\" id=\"104600\" target=\"_blank\" rel=\"noreferrer noopener\">AI-driven threats<\/a>, organizations must prioritize patching edge devices immediately, as the speed of automated attacks leaves little room for delay. <\/p>\n<p>Security teams should regularly <a href=\"https:\/\/cybersecuritynews.com\/vpn-alternatives\/\" id=\"30432\" target=\"_blank\" rel=\"noreferrer noopener\">audit VPN<\/a> user accounts for unauthorized creations and monitor for unexpected SSH sessions. Additionally, verifying network configurations against known baselines can help detect the subtle modifications typical of this campaign.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-leverage-deepseek-and-claude\/\">Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-leverage-deepseek-and-claude\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide In early February 2026, a significant cybersecurity threat emerged involving the sophisticated use of Large Language Models (LLMs) in active intrusion campaigns. A misconfigured server exposed a detailed software pipeline where threat actors integrated DeepSeek and Claude into their attack workflows. This discovery highlights a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10893","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10893"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10893"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10893\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}