FortiBleed campaign used custom FortiGate sniffer to steal credentials

The FortiBleed campaign used a custom Golang tool called FortigateSniffer to abuse FortiOS's diagnose sniffer packet feature on compromised FortiGate firewalls. The tool monitors 24 protocols to harvest authentication secrets including RADIUS, NTLM, Kerberos, and LDAP credentials. The operation has targeted over 430,000 FortiGate devices since at least February 2026.