← Back to Security Blog
Security Briefing 7 min read

AI-Assisted Hacker Breaches 600 Firewalls + Predator Spyware Hides on iOS

A Russian-speaking hacker used generative AI to breach 600+ FortiGate firewalls across 55 countries. Intellexa's Predator spyware hooks iOS SpringBoard to hide recording indicators. PayPal exposed SSNs for 6 months. French bank registry breach impacts 1.2 million accounts.


Critical: AI-Powered Attack Breaches 600+ FortiGate Firewalls

Unsophisticated Actor + AI = Massive Scale Attack

Amazon Threat Intelligence discovered a Russian-speaking, financially motivated threat actor who used commercial AI tools to compromise over 600 FortiGate devices across 55 countries between January 11 and February 18, 2026.

The critical takeaway: no zero-day exploitation was needed. The campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication. AI helped an unsophisticated actor scale what would normally require significant technical skill.

What AI Enabled

🗡️ KENSAI Insight

This attack exploited basic hygiene failures — exposed management interfaces and weak passwords. AI didn't find a zero-day; it simply scaled what a manual attacker could do. Disable public management ports. Enforce MFA. These are table-stakes defenses.


Predator Spyware: Invisible Recording on iOS

SpringBoard Hooks Hide Camera and Microphone Activity

Intellexa's Predator spyware can suppress iOS recording indicators while secretly streaming camera and microphone feeds to operators.

Predator hooks directly into iOS SpringBoard — the core UI layer that manages status bar indicators. By intercepting the recording notification system, the spyware can:

This is a nation-state grade capability primarily targeting journalists, activists, and political figures. Standard users are unlikely targets but should keep iOS updated.


PayPal Data Breach: SSNs Exposed for 6 Months

Software Bug in Loan Application Leaked Sensitive Data

PayPal is notifying customers that a software error in a loan application exposed Social Security numbers and other sensitive personal information for nearly 6 months throughout 2025.

Key details:

This highlights that application security testing is just as critical as perimeter defense. A single code bug can expose millions of records.


French Bank Registry Breach: 1.2 Million Accounts

The French Ministry of Finance disclosed a cybersecurity incident impacting 1.2 million bank registry accounts. Details remain limited, but the scale makes this one of the largest financial data breaches in France.


Advantest Hit by Ransomware

Japanese semiconductor testing giant Advantest Corporation disclosed a ransomware attack on its corporate network. The company, which supplies testing equipment to major chip manufacturers, confirmed potential impact to customer and employee data.


BeyondTrust RCE Exploited in Ransomware Attacks

CISA Warning: Active Ransomware Exploitation

CVE-2026-1731 in BeyondTrust Remote Support is being actively exploited in ransomware campaigns. CISA has added it to the Known Exploited Vulnerabilities catalog.

Organizations using BeyondTrust Remote Support should patch immediately. Remote access tools are high-value targets — they provide attackers with the same privileged access that IT teams use.


Arkanix Stealer: AI-Built Malware Experiment

A new information stealer called Arkanix was promoted across dark web forums in late 2025. Analysis suggests it was largely AI-generated — representing a growing trend of low-skill actors using AI to develop malware. While short-lived, it demonstrates the democratization of malware development.


Today's Numbers

Metric Value
FortiGate devices breached by AI-assisted attack 600+
Countries affected 55
PayPal SSN exposure window ~6 months
French bank accounts breached 1.2 million
Attack campaign duration (FortiGate) 5 weeks

Today's Priorities

  1. PATCH: BeyondTrust CVE-2026-1731 — active ransomware exploitation
  2. AUDIT: FortiGate management interfaces — disable public access, enforce MFA
  3. REVIEW: Application security — PayPal-style bugs hide in loan/payment flows
  4. UPDATE: iOS devices — Predator spyware targets outdated versions
  5. MONITOR: AI-assisted attack tooling — low-skill actors scaling with AI

Is Your Firewall Exposed Like 600 Others?

KENSAI scans for exposed management interfaces, weak credentials, and misconfigurations that AI-assisted attackers exploit at scale.

Start Free Scan

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles