A significant surge in credential stuffing attacks is fundamentally altering the landscape of corporate network intrusions. Threat actors are increasingly bypassing traditional security exploits, opting instead to gain access through stolen passwords targeting corporate Single Sign-On (SSO) gateways, with a particular focus on F5 BIG-IP interfaces. This new wave of attacks is fueled by widespread infections of infostealer malware, which silently pilfers credentials from employee devices.
The concerning trend was first highlighted on February 23, 2026, when the threat intelligence firm Defused Cyber identified a large-scale credential stuffing campaign. Their monitoring systems detected POST requests originating from a single IP address, 219.75.254.166, linked to OPTAGE Inc. in Japan. The attacker was systematically submitting combinations of corporate email addresses and passwords. What distinguished this campaign was not its sheer volume but its apparent precision, with credentials seemingly belonging to legitimate employees of major multinational corporations and government agencies.
Analysis by infostealer experts, who cross-referenced the captured data with Hudson Rock’s global cybercrime database, revealed the true provenance of these credentials. Out of 70 unique email and password pairs observed in the attack logs, a remarkable 54 were directly matched to known infostealer infection records, representing an over 77% match rate. These were not credentials compromised through a conventional data breach of F5 devices; rather, they were harvested from employee endpoints infected with infostealer malware. The subsequent redirection of these stolen logins towards external infrastructure, including Active Directory Federation Services (ADFS), Security Token Service (STS), and Outlook Web App (OWA) portals, confirms that infostealers have evolved beyond simple data theft to facilitate coordinated network intrusions.
The scope of the breach was extensive, encompassing credentials from employees of prominent organizations such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, and Queensland Police. Additionally, staff from a Turkish government ministry and employees of major retail conglomerates were affected. Attackers cast a wide net, understanding that even a limited number of valid credentials, particularly against organizations lacking robust multi-factor authentication, could provide a crucial entry point.
The infrastructure employed in the attack also raised alarms. The source IP address was traced to a compromised Fortinet FortiGate-60E firewall belonging to OPTAGE Inc. in Japan. This device, exhibiting open ports 541/tcp and 10443/tcp and a self-signed SSL certificate, indicated that attackers were routing their malicious traffic through an already hijacked edge device to assault other edge devices. This dual-threat approach, combining stolen identities with compromised network infrastructure, presents a significant detection challenge.
The “Log-to-Lead” Pipeline: Identity as the New Perimeter
The most technically significant aspect of this ongoing threat is what security researchers are terming the “Log-to-Lead” pipeline. This represents an industrialized process designed to convert raw data acquired through infostealer malware infections into actionable corporate network access within a matter of days. Once an employee’s device is compromised by infostealer malware, the malicious software silently extracts all saved credentials from web browsers, including master passwords for SSO and ADFS. These harvested credentials are then aggregated, filtered based on corporate domain relevance, and subsequently sold to Initial Access Brokers on dark web marketplaces.
Attackers then procure these credential packages and systematically test them against corporate edge devices. The process continues at scale until a valid login is discovered. This operational model is underpinned by the concept of “functional equivalence.” Many devices, such as F5 BIG-IP, are configured to accept the same master credentials used for internal portals and Windows logins. Consequently, when an attacker obtains an ADFS password from an infostealer log, that identical credential may also grant access to VPNs, SSO portals, or remote access gateways. In essence, the attacker is not exploiting a software vulnerability but rather utilizing a stolen key to enter through the front door, redefining the perimeter around authenticated identity.
To counter this escalating threat, organizations are strongly advised to implement phishing-resistant multi-factor authentication across all edge devices and SSO portals. Continuous monitoring of employee credentials on the dark web and through cybercrime intelligence feeds can provide early warnings before these credentials are weaponized in stuffing campaigns. Eliminating password reuse across internal systems through strict policy enforcement is critical. Furthermore, robust endpoint security controls should be in place to detect and neutralize infostealer infections before harvested credentials can be exfiltrated. Educating employees about the risks associated with browser-saved passwords is also paramount, as these common habits directly contribute to the infostealer pipeline powering sophisticated attacks.