The research adds to the growing number of instances of lower-skilled bad actors using AI tools to generate threats and run scaled campaigns.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Amazon Threat Intelligence researchers uncovered a Russian-speaking threat actor who used multiple commercial generative AI services to compromise over 600 Fortinet FortiGate appliances across 55+ countries in just five weeks. The attacker exploited exposed management ports and weak single-factor authentication credentials rather than zero-day vulnerabilities. AI tools were used throughout every phase of the operation — generating attack plans, custom reconnaissance tools in Go and Python, credential extraction scripts, and step-by-step exploitation instructions. After gaining access, the actor moved laterally to compromise Active Directory environments, harvest credentials, and target Veeam backup infrastructure — typical precursors to ransomware. Amazon notes the attacker's poor operational security exposed their full methodology, and warns that AI is lowering the technical barrier for cybercrime, enabling small or solo actors to operate at the scale previously requiring large skilled teams.

Attacker Breached 600 FortiGate Appliances in AI-Assisted Campaign: Amazon

‘Expect This Trend to Continue in 2026’