Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

FortigateSniffer

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence1

With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener.

T1133External Remote ServicesEvidence1

With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener.

Persistence

2 techniques
T1078Valid AccountsEvidence1

With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener.

T1133External Remote ServicesEvidence1

With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener.

Privilege Escalation

1 technique
T1078Valid AccountsEvidence1

With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener.

Stealth

2 techniques
T1078Valid AccountsEvidence1

With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer, turning the device into a passive listener.

T1564Hide ArtifactsEvidence1

The tool also incorporates two evasion techniques: GeoIP-based filtering (using a binary-search-optimized ipgeo.csv ) and business-hour scheduling, restricting active sniffing to 07:00–18:00 Moscow Time to minimize anomaly alerts during off-hours.

Credential Access

6 techniques
T1040Network SniffingEvidence3

Rather than deploying malware, the tool abuses FortiOS’s own built-in diagnostic command diagnose sniffer packet to passively intercept all authentication traffic traversing a compromised firewall across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM.

T1110Brute ForceEvidence1

The company says the threat actor deployed a credential-harvesting sniffer framework called "FortigateSniffer" on compromised FortiGate devices after first gaining administrative access via credential stuffing and brute-force attacks.

T1110.004Credential StuffingEvidence1

The researchers say the threat actor behind this campaign serves as an initial access broker (IAB), using credential stuffing, brute-force attacks, credential harvesting, and offline password cracking to obtain access to corporate networks.

T1558Steal or Forge Kerberos TicketsEvidence1

Once sniffed, the raw SSH terminal output is converted into .pcapng format by the SNIFTRAN engine, then processed through a PCAP Deep Analysis Toolkit (v5.0) that extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies.

T1558.003KerberoastingEvidence1

Once sniffed, the raw SSH terminal output is converted into .pcapng format by the SNIFTRAN engine, then processed through a PCAP Deep Analysis Toolkit (v5.0) that extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies.

T1558.004AS-REP RoastingEvidence1

Once sniffed, the raw SSH terminal output is converted into .pcapng format by the SNIFTRAN engine, then processed through a PCAP Deep Analysis Toolkit (v5.0) that extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies.

Discovery

1 technique
T1040Network SniffingEvidence3

Rather than deploying malware, the tool abuses FortiOS’s own built-in diagnostic command diagnose sniffer packet to passively intercept all authentication traffic traversing a compromised firewall across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM.

Lateral Movement

1 technique
T1021.004SSHEvidence1

This tool reportedly connects to FortiGate devices over SSH and launches the FortiOS diagnose sniffer packet command.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
cyber security newsNews
Jun 23, 2026
Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors - Cyber Security News

A custom Golang-based credential-harvesting tool used against FortiGate firewalls. It passively captures authentication traffic via FortiOS diagnostic sniffing, converts output to PCAPNG, and extracts cleartext credentials, NTLMv2 hashes, Kerberos tickets, and session cookies. It also uses GeoIP filtering and business-hour scheduling for evasion.

Read more
bleeping computerNews
Jun 22, 2026
FortiBleed campaign used custom FortiGate sniffer to steal credentials

A Golang-based credential-harvesting sniffer deployed on compromised FortiGate devices. It abuses the legitimate FortiOS diagnose sniffer packet feature to capture authentication traffic and steal credentials, password hashes, Kerberos tickets, NTLM material, and other authentication secrets from multiple protocols.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.