AI in the Kill Chain: DeepSeek and Claude Used to Attack FortiGate Devices Worldwide

February 24, 2026 Faeem BLOGS 0

In February 2026, researchers uncovered a major cyber campaign that integrated Large Language Models (LLMs) directly into the attack pipeline. This marks a dangerous evolution in cybercrime: AI tools are no longer just writing text—they’re embedded into the kill chain, automating complex offensive tasks against global targets.

What Happened

  • A misconfigured server exposed the attackers’ software pipeline, revealing how DeepSeek and Claude were used together.
  • DeepSeek generated strategic attack plans based on reconnaissance data.
  • Claude executed vulnerability assessments and ran offensive tools like Impacket and Metasploit autonomously.
  • Custom components named ARXON (Model Context Protocol server) and CHECKER2 (Docker-based orchestrator) enabled parallel VPN scanning and exploitation.

Scale of the Campaign

  • Over 2,500 FortiGate SSL VPN devices across 106 countries were processed in parallel batches.
  • Attackers leveraged stolen configuration data to breach networks, map infrastructures, and identify critical assets.
  • Logs confirmed targeting across diverse sectors, including telecommunications.

Why It Matters

  • Automation at scale: Even low-skilled operators managed thousands of intrusions simultaneously.
  • AI-powered assembly line: Reconnaissance → AI-generated plan → Automated exploitation → Privilege escalation.
  • Lower barrier to entry: Capabilities once reserved for advanced threat groups are now accessible to financially motivated actors.

Defensive Recommendations

Organizations must act quickly to counter AI-driven threats:

  • Patch edge devices immediately—FortiGate SSL VPN appliances are high-value targets.
  • Audit VPN accounts for unauthorized creations.
  • Monitor for unexpected SSH sessions and subtle configuration changes.
  • Verify network baselines to detect anomalies introduced by automated exploitation.
  • Harden backups—isolate servers and patch known vulnerabilities (e.g., Veeam CVEs).

Final Thought

This campaign demonstrates how LLMs are reshaping cybercrime economics. By embedding AI into the kill chain, attackers can scale operations far beyond their skill level. For defenders, the lesson is urgent: speed matters. Patch fast, monitor continuously, and assume adversaries are already experimenting with AI‑augmented intrusion pipelines.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.