Overview
- Amazon Threat Intelligence attributes the campaign to a Russian-speaking, financially motivated actor who operated from January 11 to February 18, 2026 using multiple commercial GenAI services to plan operations and generate tooling.
- The intrusions began with mass scanning of FortiGate management interfaces on ports 443, 8443, 10443 and 4443, followed by credential reuse attacks and theft of device configurations to establish VPN access.
- Once inside networks, the actor used AI-assisted recon tools written in Go and Python and deployed well-known offensive utilities to target Active Directory, extract NTLM hashes, move laterally and probe Veeam backup infrastructure.
- AWS reports the actor showed low-to-medium skill, referenced various CVEs such as CVE-2019-7192, CVE-2023-27532 and CVE-2024-40711, and frequently failed against patched or hardened systems before moving on.
- Amazon says it investigated and disrupted the activity, shared indicators of compromise with partners, and urged defenders to prioritize FortiGate audits, credential hygiene, network segmentation and post-exploitation detection; AWS infrastructure was not used in the campaign.