A Russian initial access broker has been running a custom credential sniffer on compromised FortiGate VPN appliances since February — 110 million credentials harvested, four months of dwell time, and most victims likely still don’t know. Today’s brief covers the FortiBleed attribution, a video-file RCE affecting nearly every media server in existence, a proxy bug older than most SOC analysts, and a botnet that’s building something more dangerous than a DDoS swarm.

In the News

Russian IAB Behind FortiBleed — 110M Credentials Siphoned Since February

SecurityWeek reported that the FortiBleed campaign has been formally attributed to a Russian initial access broker (IAB). The operator deployed a custom credential sniffer on compromised FortiGate VPN appliances, capturing authentication traffic at the network layer before TLS termination. The sniffer has been active since at least February 2026, and the estimated credential haul stands at 110 million.

The tactical significance here extends beyond the raw credential count. Initial access brokers monetize compromised access by selling it to ransomware operators, espionage groups, and other threat actors. Every credential captured by this sniffer represents a potential future intrusion — and the four-month dwell time means most victim organizations had no indication the sniffer was present. Traditional endpoint detection approaches miss this entirely because the sniffer operates at the appliance firmware level, below the OS where EDR agents run.

For defenders, the immediate action is threefold: hunt for indicators of compromise on FortiGate appliances, review VPN authentication logs for anomalous patterns dating back to February, and rotate every credential that has traversed the VPN. The broader lesson reinforces what ZTNA architecture discussions have been driving for years — exposed VPN appliances are a liability, and the attack surface they present is fundamentally harder to monitor than cloud-delivered secure access.

What defenders should do: Threat hunt FortiGate VPN appliances immediately, rotate all VPN-traversed credentials, review authentication logs back to February 2026, and evaluate ZTNA migration to eliminate the exposed appliance attack surface.

FFmpeg PixelSmash RCE — Crafted Video Files Execute Code on Media Servers

A remote code execution vulnerability in FFmpeg’s libavcodec library — dubbed PixelSmash — allows attackers to achieve arbitrary code execution by delivering a specially crafted video file. The attack surface is staggering: libavcodec is embedded in Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, OBS Studio, and virtually every NAS appliance that handles video transcoding or surveillance recording.

A proof-of-concept exploit is public, and exploitation has been observed in the wild. The upstream FFmpeg patch is available, but the real problem is downstream propagation. NAS firmware vendors, media server distributions, and containerized deployments all ship their own bundled libavcodec — and most have not yet released updated packages. Organizations running software composition analysis tooling should be scanning for libavcodec version strings across their environment immediately.

The attack vector is deceptively simple: deliver a malicious video file via email, file share, or upload portal. Any system that attempts to thumbnail, transcode, or play the file triggers the vulnerability. This bypasses network perimeter controls entirely — the payload is a valid media container until the codec processes the malformed pixel data.

What defenders should do: Audit all systems running FFmpeg or libavcodec, apply the upstream patch where possible, and monitor downstream vendors for updated firmware and packages. Restrict media file uploads to validated sources where feasible.

Squidbleed: 29-Year-Old Squid Proxy Bug Leaks Cleartext Credentials

A heap over-read vulnerability in Squid’s FTP parser — present since 1997 — allows any user sharing the same Squid proxy instance to read cleartext HTTP requests from other users’ sessions. This includes session tokens, authentication credentials, and request bodies. The bug is active in default configurations and requires no authentication or elevated access to exploit.

Squid remains deployed in ISPs, university networks, and enterprise environments where it serves as a forward web proxy. Many organizations have forgotten it exists — it runs on infrastructure provisioned years ago, often unmonitored. The vulnerability class is a heap over-read: the FTP parser reads beyond its allocated buffer and returns data from adjacent memory regions, which contain other users’ HTTP request data.

This is a textbook case for why zero trust architecture replaces shared-process trust models. A forward proxy that co-mingles user traffic in a single process is an architectural liability. Cloud-delivered secure web gateways and ZTNA solutions enforce per-session isolation that eliminates this class of cross-user data leakage entirely.

What defenders should do: Patch Squid immediately or decommission it. Rotate credentials for any user whose traffic traversed the proxy. Inventory your environment for forgotten Squid instances — they are more common than you think.

AryStinger Botnet Turns 4,300 Routers Into Recon Proxy Network

The AryStinger botnet has compromised over 4,300 legacy routers, but its purpose is not volumetric DDoS. Instead, infected routers function as a distributed proxy and reconnaissance network — scanning target networks, relaying command-and-control traffic, and obscuring the origin of pre-breach activity behind residential and small-business IP addresses.

This tactic is operationally significant because it makes traditional IP reputation and geolocation-based detection ineffective. Malicious scanning and C2 traffic originates from IP ranges that belong to legitimate ISP customers, not from known hosting providers or VPN exit nodes. Defenders relying on blocklists and reputation scoring will miss this traffic entirely. The correct detection approach requires behavioral analysis — identifying scanning patterns and proxy relay behavior from devices that should only be generating consumer traffic (MITRE ATT&CK: T1090.003 — Multi-hop Proxy, T1595.001 — Active Scanning: Scanning IP Blocks).

What defenders should do: Deploy IoT/OT network visibility to detect anomalous behavior from edge devices, enforce network segmentation that prevents compromised routers from reaching internal assets, and implement firmware lifecycle management for all network equipment.

Today’s Deep Dive — Supply Chain Threat Convergence: npm, WordPress, and WhatsApp

Three separate supply chain campaigns surfaced this week, each exploiting a different trust boundary.

npm ecosystem. North Korean threat actors have been confirmed behind the Mastra npm supply chain attack, with 140+ poisoned packages targeting cryptocurrency wallet credentials. Separately, three typosquatted packages posing as PostCSS tools (reported by The Hacker News) delivered a Windows RAT before takedown — 1,016 downloads in a month. Both campaigns exploit developer trust in package registries and the absence of software composition analysis in CI/CD pipelines (MITRE ATT&CK: T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain).

WordPress plugin ecosystem. ShapedPlugin’s Pro plugin build pipeline was compromised, with backdoored updates pushed through the official licensed update channel. This is particularly insidious because premium WordPress plugins update through vendor-controlled channels that site operators trust implicitly. The attack bypasses the WordPress.org plugin review process entirely.

WhatsApp as initial access vector. A VBScript campaign active across 10+ countries delivers fake business documents via WhatsApp Desktop and Web, installing ManageEngine RMM for persistent access. This bypasses email security gateways entirely — the delivery channel is a messaging platform that most organizations do not monitor or control (MITRE ATT&CK: T1566.003 — Phishing: Spearphishing via Service).

The common thread: attackers are exploiting trust boundaries that defenders have not instrumented. Package registries, plugin update channels, and messaging platforms all represent initial access vectors that fall outside traditional email and endpoint security controls.

Detection Spotlight

FortiGate VPN appliances compromised by the FortiBleed sniffer exhibit anomalous outbound data transfers — the captured credentials must be exfiltrated. This Splunk SPL query identifies FortiGate devices initiating unusual outbound connections to non-standard destinations, which may indicate sniffer exfiltration activity:

index=firewall sourcetype="fortigate_traffic"
  action=allowed direction=outbound
  srcip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  dstport!=443 dstport!=53 dstport!=80
  | where src_zone="mgmt" OR src_zone="vpn"
  | stats count dc(dstip) as unique_destinations sum(sentbyte) as total_bytes_out by srcip
  | where unique_destinations > 5 AND total_bytes_out > 10485760
  | sort -total_bytes_out

This query surfaces FortiGate management or VPN-zone IPs making outbound connections on non-standard ports to multiple unique destinations with significant data transfer volume. Expect false positives from legitimate management traffic (firmware updates, logging to SIEMs) — baseline your environment first. The high-fidelity signal is a VPN appliance IP sending large volumes to destinations not in your known management infrastructure list.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.