A Single Operator Used DeepSeek and Claude to Breach 600 FortiGate Firewalls in 5 Weeks
Amazon Threat Intelligence uncovered a Russian-speaking threat actor using DeepSeek for attack planning, Claude for autonomous exploitation, and a custom MCP server called ARXON to breach 600+ FortiGate devices across 55 countries.
A financially motivated threat actor, likely a single individual, compromised more than 600 FortiGate firewall appliances across 55 countries in just five weeks. The operation was not remarkable for its sophistication. It was remarkable because the attacker outsourced most of the thinking to large language models.
Amazon Threat Intelligence published the findings on February 20, revealing that a Russian-speaking operator with "low-to-medium baseline technical capability" had woven at least two commercial LLM services into every phase of the kill chain: reconnaissance, attack planning, tool development, exploitation, and reporting. A parallel investigation by independent researcher cyberandramen identified the specific models and infrastructure involved, naming DeepSeek and Claude as the AI engines, and a custom Python-based MCP server called ARXON as the orchestration layer.
This is the first publicly documented case of an AI-powered cybercrime pipeline operating at continental scale.
The Kill Chain, Automated
The campaign ran from January 11 to February 18, 2026. Here is how the pieces fit together.
Phase 1: Scanning - A Go-based tool called CHECKER2 ran inside Docker containers, orchestrating parallel VPN scans against 2,516 targets across 106 countries. The tool probed FortiGate management interfaces on ports 443, 8443, 10443, and 4443 from IP
212.11.64[.]250.Phase 2: Credential Abuse - No zero-days were needed. The attacker used commonly reused credentials against exposed management ports. Over 600 devices fell to what amounts to password guessing at scale.
Phase 3: Configuration Extraction - Compromised FortiGate configs yielded full network topologies, VPN credentials, LDAP configurations, and stored passwords. Python scripts leveraging CVE-2019-6693 decrypted the passwords from backup files using Fortinet's hardcoded cryptographic key.
Phase 4: AI-Powered Attack Planning - Extracted reconnaissance data was fed into ARXON, which called DeepSeek to generate tactical attack plans for each target. ARXON maintained a persistent knowledge base that grew with every compromised network.
Phase 5: Autonomous Exploitation - Claude's coding agent produced vulnerability assessments and executed offensive security tools (OSTs) during live intrusions. The operator had configured Claude to autonomously run Impacket, Metasploit, hashcat, and other offensive tools without requiring approval for each command.
What ARXON Actually Does
ARXON is not a publicly available tool. It is a custom Python-based MCP (Model Context Protocol) server that bridges LLM analysis with exploitation scripts. According to cyberandramen's analysis of the exposed server infrastructure, ARXON serves a dual role:
As an analysis platform, it ingests per-target reconnaissance data, calls DeepSeek to generate attack plans, and stores results in a persistent knowledge base that grows with each target.
As a toolkit, it contains batch SSH tools for FortiGate VPN account creation, user provisioning, and automated Domain Admin credential validation.
The operator's exposed SimpleHTTP server at 212.11.64[.]250:9999 contained 1,402 files across 139 subdirectories: stolen FortiGate configs, Active Directory maps, credential dumps, BloodHound collection data, Nuclei templates, and Veeam extraction tools.
Claude With the Safety Rails Off
Perhaps the most disturbing finding is how Claude was configured. Cyberandramen found a .claude directory on the server containing a settings.json file that pre-approved Claude Code to run offensive tools with hardcoded domain credentials belonging to an employee of a large media company in Asia.
This means the operator had Claude operating as an autonomous penetration testing agent against live production networks, executing DCSync attacks, NTLM relay attacks, and pass-the-hash lateral movement without human approval per action.
CVEs in the Crosshairs
The campaign referenced or actively exploited several known vulnerabilities:
| CVE | Target | Purpose |
|---|---|---|
| CVE-2019-6693 | FortiGate | Decrypt stored passwords from config backups |
| CVE-2025-33073 | Windows SMB | Privilege escalation |
| CVE-2023-27532 | Veeam Backup | Credential extraction from backup servers |
| CVE-2024-40711 | Veeam Backup | Additional exploitation vector |
| CVE-2019-7192 | QNAP NAS | Network storage access |
AWS noted that exploitation "largely failed against patched and hardened systems," underscoring that basic patch management still works, even against AI-augmented attackers.
From HexStrike to ARXON in Eight Weeks
The operator did not start with custom tools. In December 2025, they were using HexStrike, a publicly available open-source MCP framework that lets AI agents run 150+ cybersecurity tools. By February 2026, they had transitioned to ARXON and CHECKER2, custom-built tools with no public footprint.
The progression from open-source offensive AI framework to bespoke infrastructure took roughly eight weeks. This is the speed at which the ecosystem is being weaponized.
"This activity is distinguished by the threat actor's use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities." - AWS Security Blog
The Geography of Compromise
Confirmed compromises span an Asia-Pacific industrial gas company, a Turkish telecom provider, and an Asian media conglomerate. Reconnaissance data referenced targets in South Korea, Egypt, Vietnam, Kenya, and medical equipment manufacturers.
AWS characterized the geographic spread across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia.
IOCs
| Indicator | Active Period |
|---|---|
212.11.64[.]250 (Global-Data System IT, AS4264) | Jan 11 - Feb 18, 2026 |
185.196.11[.]225 (Kali Linux scanning infra) | Jan 11 - Feb 18, 2026 |
What This Changes
This was not a nation-state operation. It was not a sophisticated APT. It was a single, financially motivated individual with mediocre technical skills who used commercially available AI services to run simultaneous intrusions across dozens of countries.
The AI did not discover new vulnerabilities. It did not write novel exploits. What it did was remove the human bottleneck from a multi-target operation. One operator, assisted by DeepSeek for planning and Claude for execution, managed a campaign that would have previously required a team.
AWS's recommendation is blunt: "Strong defensive fundamentals remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation, and robust detection for post-exploitation indicators."
The uncomfortable reality is that AI-augmented cybercrime does not require a new class of defense. It requires doing the basics at a speed and consistency that most organizations have never managed.
- Disable exposed FortiGate management interfaces on public-facing ports immediately
- Enforce multi-factor authentication on all VPN and administrative access
- Patch CVE-2019-6693, CVE-2023-27532, and CVE-2024-40711 if not already applied
- Hunt for the published IOCs in your network logs
- Audit Claude and other AI tool configurations in your environment for unauthorized autonomous execution settings
Sources:
- LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices Across Continents - cyberandramen
- AI-augmented threat actor accesses FortiGate devices at scale - AWS Security Blog
- AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries - The Hacker News
- Amazon: AI-assisted hacker breached 600 FortiGate firewalls in 5 weeks - BleepingComputer