In early February 2026, a misconfigured server with more than one-thousand files was found exposed to the internet. Among them were stolen firewall configs, Active Directory maps, credential dump output, and detailed attack plans targeting organizations spanning multiple continents. What made this particular server different from the others was a software pipeline integrating large language models (LLM’s) directly into the intrusion workflow.
A historical review of the same server revealed a previous exposure in December 2025 containing similar tooling alongside additional victim data, separate from that mentioned above.
It’s worth nothing the models used in this case were not involved in writing exploits or discovering zero-days. Instead, they were used for triaging compromised targets, and generating attack plans fast enough to keep multiple intrusions moving concurrently.
Key Findings
- An open directory exposed the full toolkit of an active intrusion campaign with confirmed victims in at least 5 countries. An earlier exposure in December revealed activity dating at least two months.
- The malicious operation automates backdoor creation on compromised Fortinet appliances, then connects to victim networks, maps internal infrastructure, and feeds results to language models for analysis.
- DeepSeek is used to generate attack plans from reconnaissance data. Claude’s coding agent produced vulnerability assessments during the intrusions and was configured to execute offensive tools on the victim systems.
- A previously unreported model context protocol (MCP) server acts as a bridge to the language models, maintaining a knowledge base which grows with each target.
- Between the two time frames observed, the actor evolved from using an open-source offensive MCP tool, to a fully automated exploitation system.
Discovery
While reviewing open directories using Hunt.io’s Attack Capture, a server running SimpleHTTP version 0.6 on Python 3.13.9 caught my eye. The directory hosted over 1,000 files totaling 23 MB.
The server at 212.11.64[.]250:9999, hosted on AS4264 (Global-Data System IT Corporation, Zurich, Switzerland), contained 1,402 files across 139 subdirectories. Folders within the directory included CVE exploit code, FortiGate configuration files, Nuclei scanning templates and Veeam credential extraction tools. Two folders named claude-0 and claude contained over 200 files between the two, including Claude Code task outputs, session diffs, and cached prompt states. A folder titled fortigate_27.123(full IP redacted) held configuration data and credentials from what appeared to be a compromised FortiGate appliance.
A review of the IP through Hunt’s summary page highlighted a second exposed directory from mid-December 2025. The earlier instance contained a copy of HexStrike, an open-source offensive security framework that enables large language models to run penetration testing tools using the MCP.
The server also hosted BloodHound collection data, output from exploit code, attack reports, and a .claude directory with a settings.json file in it. The file pre-approved Claude Code to autonomously run Impacket, Metasploit, hashcat, and other offensive tools using hardcoded domain credentials belonging to an employee of a large media company based in Asia.
Moving back to the more recent set of files, the same IP appeared in operational logs as the source address for SSH sessions used to modify FortiGate appliance configurations across multiple countries. This confirms the server was not merely a storage repository, but actively participating in the intrusion.
Between the two directories, the data within the files and folders pointed to confirmed compromises affecting an industrial gas company in the Asia-Pacific region, a telecom provider in Turkey, and the media company identified in December. Additional reconnaissance information referenced targets in South Korea, Egypt, Vietnam, and Kenya, along with code targeting a medical equipment manufacturer.
From Fortigate to Domain Admin
The most complete intrusion data observed targeted the aforementioned gas company. Although the recovered documents do not indicate how the FortiGate appliance was initially compromised, the threat actor was already in possession of admin credentials. From this point forward, active exploitation will be documented by reviewing the most pertinent files, including where language models entered the attack workflow.
Config Extraction
Reading through the documents within the fortigate_27.123* folder indicated the starting point was a FortiGate-40F appliance at a branch office, accessed through a read-only admin account (Technical_support). Despite the limited permissions, the account was able to extract the full backup configuration exposing network topology for: the headquarters network, a branch office subnet, guest and management networks, and SSL VPN settings including all configured user accounts.
A markdown file labeled EXTRACTED_DATA_SUMMARY.md within the same directory cataloged the data in detail, listing 50 VPN user accounts by name and employee ID, LDAP server settings and the address of a second FortiGate appliance. The document also included the organization’s domain controller (DC) details, and concluded with prioritized next steps for further exploitation.
Credential Harvesting
The configuration included an LDAP bind configuration for authenticating VPN users against Active Directory, including the domain controller address and the bind account. The bind password was stored in Fortinet’s encrypted ENC format. Two Python scripts on the server linked to CVE-2019-6693 likely decrypted all passwords from the backup file.
A vulnerability assessment report generated later in the intrusion confirmed the username/password were valid, documenting successful commands run against the domain controller.
LLM-Driven Analysis
With a valid set of credentials and a full network map from the FortiGate configuration, the threat actor moved to internal reconnaissance via FortiSSL VPN and shifted to an automated strategy.
Scan results and recon data were processed through a custom MCP server. The clearest example of this automated process originate from the attack targeting the Turkish company. A Claude Task file in the same group of files provided insight into the operators thinking while relaying input to the model: current access, critical internal targets without access (Oracle databases, biometric devices, etc.). The actor also added known vulnerabilities and stolen credentials. The prompt concludes with four specific requests:
- attack vectors for targets out of reach
- credential search locations on DC shares
- methods to identify IT staff
- a prioritized path to Domain Admin
Active Exploitation via Claude Code
The assessment report, also a markdown file was dated February 1, 2026 and attributed to Claude Code at the bottom of the document. Below that, a note indicating a 400ms round-trip time to the Asia-Pacific target infrastructure confirmed the information was likely generated during an active remote connection.
The report documented two primary internal targets: a QNAP NAS and a Veeam Backup server, both running with SMB signing disabled. Multiple exploitation attempts were recorded using a mix of Metasploit modules and publicly available exploit code. Output data also showed a running ntlmrelayx.py process, indicating the script was actively running during the time the report was created. The script is part of the Impacket suite, designed to capture credentials and authenticate against specific targets.
Finally, the assessment concluded with prioritized next steps: compile and execute the Veeam RCE exploit, trigger forced authentication through domain access, and continue scanning the victim network for additional points of entry.
ARXON and CHECKER2: A Custom MCP Assisting Exploitation
The previous sections traced two separate intrusion chains. The tools recovered from the directory reveal this operation was designed to run in parallel across thousands of targets.
Combing through the directory files, it became apparent that two custom components formed the backbone of the malicious activity. At the time of publication, I’ve been unable to find public reporting/references to either. The below table identifies both tools.
| Component | Language | Role | Evidence/filename |
| CHECKER2 | Go | Docker-based orchestrator for parallel VPN scanning and target processing. | BACKUP_SUMMARY.md |
| ARXON MCP | Python | Model Context Protocol server combining LLM analysis with attack scripts. | arxon-mcp.log, arxon_client.log |
Within the file named deploy_output.log, a deployment script transferred a 102MB archive of FortiGate configurations organized by country to a separate Kali Linux server at 185.196.11[.]225, launching an automated scan. Output from one of those scans identified 2,516 targets across 106 countries, processed in parallel batches. Each container follows the same flow: ingest a stolen VPN configuration, attempt connection, scan the internal network and pass results to ARXON for LLM analysis.
ARXON serves a dual role. First, as an analysis platform, ingesting per-target recon data, calling DeepSeek to generate attack plans, and stores results in a persistent knowledge base that grows with each target.
As a toolkit, it contains scripts to directly modify victim infrastructure, including batch SSH-based FortiGate VPN account creation, user provisioning, and automated Domain Admin credential validation.
Operational History and Evolution
The information described above was not the first time this server mistakenly left its data accessible. As briefly mentioned in the opening, an earlier open directory was picked up by Hunt’s scans, dated December 19, 2025.
The December exposure included a copy of HexStrike, an open-source offensive security framework enabling language models to execute penetration testing tools through a MCP, very similar to ARXON.
Most significantly in this group of files was a Claude Code settings file found in a .claude directory. The settings.local.json file pre-approved Claude Code to autonomously execute Impacket tools (secretsdump.py, psexec.py, wmiexec.py), Metasploit, and hashcat to mention a few. The domain credentials for a major media company in Asia were hardcoded directly in the document.
It’s important to note that this file is distinct from the reports discussed in Section 2. The vulnerability assessment documented Claude Code authoring operational plans during a live intrusion. The .json file allows the model to execute offensive tools without requiring approval for each command.
Between December, and Feburary, the threat actor moved from HexStrike, publicly available to ARXON and CHECKER2, custom-built tools with no public footprint. While this timeline does not show a highly skilled operator, the workflow shift shows how easy it is to move from semi-manual attacks, to fully orchestrated targeting of FortiGate appliances across the world.
Quick Note: A Change in Tactics?
Within the deepseek_attack_plan.py script, from the most recent campaign, were a number of targets and systems cataloged as vulnerable. Among those devices were a ZKSoftware biometric access control system accessible via telnet and possibly exploitable by CVE-2026-24061, a remote authentication bypass in telnetd. There is no explicit data verifying whether this software was targeted for exploitation, but this would mark a significant change in the actors previous targeting of edge devices and harvesting credentials from internal networks.
Conclusion/Going Forward
The significance of this operation is not reliant on any single technique. Every tool observed, from BloodHound to Nuclei, and Impacket is well documented. What sets this activity apart is the integration of LLMs: a (likely) single operator managing simultaneous intrusions across multiple countries with analytical support at every stage.
Progression from HexStrike to ARXON took roughly eight weeks from what was recoverable. Language models only assisted a low-to-average skilled actor in removing the number of targets one person can work at any given time.
The dual-model approach observed, using whichever model is most permissive or capable for a given task, is likely to become a recurring pattern. For defenders, this should drive home the importance of patching edge devices, although the pace at which new CVE’s pop up is admittedly difficult to keep up with. It’s important to continue auditing for unauthorized VPN accounts, unexpected SSH access and unapproved policy changes.
Matching the speed at which this workflow moved will be important in defending networks as AI continues to be baked into offensive operations.
Indicators of Compromise
| IP Address | Domain | ASN |
| 212.11.64[.]250:9999 | N/A | Global-Data System IT Corporation |
| 185.196.11[.]225 | N/A | Global-Data System IT Corporation |
Appendix A: Observed CVEs
| CVE | Targeted Technology | Role |
| CVE-2026-24061 | ZKSoftware biometric devices (telnet) | Possible targeting of physical security control systems |
| CVE-2025-33073 | SMB | Privilege escalation on Windows host |
| CVE-2023-27532 | Veeam Backup & Replication | Extract credentials from backup infrastructure |
| CVE-2019-7192 | QNAP NAS | Access network storage |