Hackers Pipeline FortiGate Attacks with DeepSeek and Claude; OpenClaw Compromises 30,000 Instances

AI‑Powered Automation of FortiGate Attacks

In early February 2026, security analysts identified a SimpleHTTP server (212.11.64.250:9999) exposing more than 1,400 files and 139 directories, including stolen FortiGate configurations, Active Directory mappings, credential hashes, exploit code, and a detailed attack manual. Hunt.io classified the host as an active C2 and relay node hosted by a Swiss service provider.

The leaked data linked to confirmed intrusions against an Asian media company, a Turkish telecom provider, and an industrial‑gas firm in the APAC region, with reconnaissance evidence targeting Korea, Egypt, Vietnam, and Kenya.

Historical telemetry showed the same host exposing similar directories in December 2025, indicating a persistent operation that directly modified FortiGate configurations across multiple countries.

DeepSeek : consumes reconnaissance output and FortiGate backups to generate structured attack plans, prioritising paths to Domain Admin, key credential locations, and high‑value internal assets such as Oracle databases and biometric devices.

Claude : generates vulnerability assessment reports and orchestrates common penetration tools (mpacket, Metasploit modules, hash‑cracking utilities) with minimal manual confirmation.

A custom Model Context Protocol (MCP) server named ARXON acts as a bridge between data and the models, maintaining a growing knowledge base per target. Its workflow: ingest stolen VPN/FortiGate configs → infer internal topology → invoke DeepSeek for attack planning → hand tasks to Claude for script generation or execution.

The parallel scanning component CHECKER2 , written in Go and deployed via Docker, queued over 2,500 FortiGate devices across 100+ countries for automated access attempts.

A documented intrusion chain against the industrial‑gas company started from read‑only admin access on a FortiGate‑40F, harvested full configuration backups, extracted network segmentation, SSL‑VPN settings, 50 VPN user accounts, and LDAP bindings. Attackers likely leveraged CVE‑2019‑6693 to decrypt stored credentials, then used SSL‑VPN to move laterally, employing Impacket’s ntlmrelayx.py and targeting QNAP NAS and Veeam backup servers with disabled SMB signing.

Evolution from Open‑Source to Custom Exploitation Suite

December 2025 logs show attackers using the open‑source MCP framework HexStrike to let large models control penetration tools. By February 2026 they had replaced HexStrike with the self‑developed ARXON and CHECKER2 components, shifting from semi‑manual AI‑assisted testing to a fully automated pipeline targeting FortiGate edge devices.

Threat‑intel feeds link the infrastructure to a Russian‑speaking attacker who, between January and mid‑February 2026, compromised over 600 FortiGate firewalls in 55 countries, primarily exploiting exposed management interfaces and weak single‑factor credentials rather than zero‑day bugs.

OpenClaw Mass Exploitation

Within 72 hours of its public release, the open‑source AI‑Agent framework OpenClaw suffered a massive wave of attacks, resulting in more than 30,000 compromised instances running on the default port 18789.

High‑value target because it provides autonomous task execution, system‑level access, persistent memory, environment‑variable reading, and external API calls.

Risk: once attackers gain execution rights, they can steal data and act on behalf of the user, creating continuous control.

Attack Chain Details

Remote Code Execution (CVE‑2026‑25253) : attackers achieved arbitrary command execution, then extracted environment variables, harvested API keys (OpenAI, GitHub, AWS), established persistent backdoors, and performed lateral movement.

"ClawHavoc" Supply‑Chain Attack (Jan 29): malicious setup scripts disguised as encryption tools deployed Atomic Stealer on macOS and a key‑logger on Windows, leveraging trusted GitHub accounts to bypass basic review.

Skill‑Market Poisoning : OpenClaw’s extensible skill marketplace lacks code‑signing; attackers uploaded backdoored skills that, upon automatic update, executed malicious code, stole OAuth tokens, and exfiltrated API keys—a classic automated supply‑chain pollution pattern.

Mass Public Exposure : scans in mid‑February revealed over 300,000 instances exposed on the default port, many without authentication, and were probed and exploited within minutes.

Impact Comparison

Traditional attacks: data leakage, single‑point loss, limited scope.

AI‑Agent attacks: active request forgery, automated credential abuse, propagation into internal systems, broader impact.

Structural Weaknesses in AI Agents

Default high‑privilege execution.

No system‑call restrictions.

Absence of skill‑signature verification.

Public default port exposure.

Lack of threat modelling.

Mitigation Recommendations for Enterprises

Isolation : run agents in containers or sandboxes, drop root privileges, restrict system calls.

Credential Management : avoid plaintext environment variables, use dedicated secret‑management solutions, enable short‑lived tokens.

Network Controls : block public management ports, enforce reverse‑proxy authentication, apply IP whitelisting.

Plugin Management : disable automatic updates, enforce code‑signing verification, maintain a whitelist of approved skills.

Behavior Monitoring : audit abnormal shell invocations, monitor outbound traffic, detect unusual file accesses.

For FortiGate defenses, prioritize closing public management interfaces, enforce MFA on all VPN and management access, and promptly patch widely exploited vulnerabilities such as CVE‑2019‑6693 and newer FortiOS issues. Continuous monitoring for unauthorized VPN accounts, anomalous SSH logins, and silent policy changes is essential, as AI‑driven workflows dramatically shrink the window from initial compromise to domain‑admin control.