A Russian-speaking hacker used generative AI to breach 600+ FortiGate firewalls across 55 countries. Intellexa's Predator spyware hooks iOS SpringBoard to hide recording indicators. PayPal exposed SSNs for 6 months. French bank registry breach impacts 1.2 million accounts.
Amazon Threat Intelligence discovered a Russian-speaking, financially motivated threat actor who used commercial AI tools to compromise over 600 FortiGate devices across 55 countries between January 11 and February 18, 2026.
The critical takeaway: no zero-day exploitation was needed. The campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication. AI helped an unsophisticated actor scale what would normally require significant technical skill.
This attack exploited basic hygiene failures — exposed management interfaces and weak passwords. AI didn't find a zero-day; it simply scaled what a manual attacker could do. Disable public management ports. Enforce MFA. These are table-stakes defenses.
Intellexa's Predator spyware can suppress iOS recording indicators while secretly streaming camera and microphone feeds to operators.
Predator hooks directly into iOS SpringBoard — the core UI layer that manages status bar indicators. By intercepting the recording notification system, the spyware can:
This is a nation-state grade capability primarily targeting journalists, activists, and political figures. Standard users are unlikely targets but should keep iOS updated.
PayPal is notifying customers that a software error in a loan application exposed Social Security numbers and other sensitive personal information for nearly 6 months throughout 2025.
Key details:
This highlights that application security testing is just as critical as perimeter defense. A single code bug can expose millions of records.
The French Ministry of Finance disclosed a cybersecurity incident impacting 1.2 million bank registry accounts. Details remain limited, but the scale makes this one of the largest financial data breaches in France.
Japanese semiconductor testing giant Advantest Corporation disclosed a ransomware attack on its corporate network. The company, which supplies testing equipment to major chip manufacturers, confirmed potential impact to customer and employee data.
CVE-2026-1731 in BeyondTrust Remote Support is being actively exploited in ransomware campaigns. CISA has added it to the Known Exploited Vulnerabilities catalog.
Organizations using BeyondTrust Remote Support should patch immediately. Remote access tools are high-value targets — they provide attackers with the same privileged access that IT teams use.
A new information stealer called Arkanix was promoted across dark web forums in late 2025. Analysis suggests it was largely AI-generated — representing a growing trend of low-skill actors using AI to develop malware. While short-lived, it demonstrates the democratization of malware development.
| Metric | Value |
|---|---|
| FortiGate devices breached by AI-assisted attack | 600+ |
| Countries affected | 55 |
| PayPal SSN exposure window | ~6 months |
| French bank accounts breached | 1.2 million |
| Attack campaign duration (FortiGate) | 5 weeks |
KENSAI scans for exposed management interfaces, weak credentials, and misconfigurations that AI-assisted attackers exploit at scale.
Start Free ScanStay secure. Stay vigilant.
🗡️ KENSAI Security Team