In early February 2026, threat actors were discovered to be leveraging Large Language Models (LLMs) like DeepSeek and Claude in sophisticated active intrusion campaigns targeting FortiGate SSL VPN appliances globally. This alarming development signals a significant evolution in cybercrime, where advanced AI tools are integrated directly into the attack lifecycle to automate complex offensive operations and bypass traditional security measures.
A misconfigured server exposed the detailed software pipeline used by these threat actors, revealing how they combined these AI models into their workflows. This infrastructure facilitated the mass exploitation of FortiGate devices by using stolen configuration data to gain unauthorized access to internal networks. The actors successfully mapped internal infrastructures and identified critical assets leveraging these compromised credentials, enabling simultaneous processing of thousands of targets without manual intervention for each stage of the intrusion.
Evidence gathered indicates that over 2,500 devices across 106 countries were systematically targeted. Cyber and Ramen analysts identified a dual-model approach where DeepSeek was used to generate strategic attack plans based on initial reconnaissance data, while Claude’s coding capabilities were employed for automated vulnerability assessments. This level of automation allows even less-skilled operators to manage a substantial volume of intrusions efficiently, democratizing sophisticated cyber attacks.
Automated Exploitation Workflow Enhanced by AI
The core of this operation relies on custom-built components to orchestrate the attacks. Two key components, ARXON and CHECKER2, were identified. CHECKER2 functions as a Docker-based orchestrator responsible for parallel VPN scanning, while ARXON serves as a Model Context Protocol (MCP) server. This integration creates a bridge, allowing attackers to feed specific network data directly into the LLMs, which then output actionable exploitation steps.
The intrusion chain diagram illustrates how the system progresses from initial access through reconnaissance to active exploitation. Once inside a compromised network, the automated system leverages Claude to autonomously execute offensive tools such as Impacket and Metasploit. A redacted snippet from a vulnerability assessment report found on the exposed server displays how the LLM documents its findings and suggests prioritized next steps, including privilege escalation, to the threat actors.
Exposed logs confirm that this automated system is actively targeting a diverse range of sectors, including telecommunications companies. The extensive reach and automation highlight the urgent need for enhanced cybersecurity measures to combat AI-driven threats. The speed at which these automated attacks can be launched leaves organizations with very little time to respond.
To mitigate these evolving AI-driven threats, organizations must prioritize the immediate patching of edge devices, particularly VPN appliances. Security teams are advised to regularly audit VPN user accounts for any unauthorized creations and to vigilantly monitor for unexpected SSH sessions, which can be indicators of compromise. Furthermore, verifying network configurations against known baselines can assist in detecting the subtle modifications characteristic of this new wave of attacks.
The continued development and deployment of such AI-enhanced attack methodologies suggest that threat actors will increasingly rely on these tools for efficiency and scale. Organizations that fail to adapt their defenses to account for AI-driven automation risk falling victim to increasingly sophisticated and widespread cyber intrusions. The effectiveness of LLMs in automating complex cyber attack sequences necessitates a proactive and adaptive approach to cybersecurity, focusing on rapid threat detection and automated response capabilities.