Malware

CyberStrike Harvester

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

4 techniques

T1110Brute ForceEvidence1

The campaign does not depend on a malware payload; instead, it uses a credential pipeline that utilizes credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing.

T1110.003Password SprayingEvidence1

T1110.004Credential StuffingEvidence1

T1649Steal or Forge Authentication CertificatesEvidence1

FortiBleed is a large-scale credential compromise campaign that targets internet-facing Fortinet FortiGate firewalls and SSL VPN gateways.

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

hash.md5●●●●●●●●●●●●View more in apptoday

hash.sha256●●●●●●●●●●●●View more in apptoday

hash.sha1●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

malware newsNews

Jun 24, 2026

Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory - Malware News - Malware Analysis, News and Indicators

A credential-harvesting tool recovered during investigation of the FortiBleed campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways. The campaign is described as relying on credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing rather than a traditional malware payload.

arctic wolf blogNews

Jun 24, 2026

Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory - Arctic Wolf

A Go-based Linux credential-processing tool used in the FortiBleed campaign to ingest pcap, pcapng, and FortiGate-derived text artifacts and extract credentials, crackable hashes, cookies, tokens, sessions, and other authentication material for downstream validation and collection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.