Credential Stuffing Campaign Exploits Stolen Employee Logins to Breach Corporate Networks A sophisticated credential stuffing campaign targeting corporate Single Sign-On (SSO) gateways particularly F5 BIG-IP interfaces has exposed a growing threat: attackers gaining network access not through software vulnerabilities, but by using stolen employee credentials. First detected on February 23, 2026, by threat intelligence group Defused Cyber, the attack leveraged credentials harvested from infostealer malware infections on employee devices. A single source IP (219.75.254.166, registered to OPTAGE Inc. in Japan) was observed sending large volumes of corporate email and password combinations in automated login attempts. Analysis by Hudson Rock revealed that 77% of the 70 unique credentials used in the attack matched known infostealer infection logs, confirming they were stolen from compromised endpoints rather than a traditional data breach. The credentials were then repurposed against ADFS, Security Token Services (STS), and OWA portals, demonstrating a shift from mere data theft to coordinated network intrusion. Affected organizations included high-profile entities such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, Queensland Police, Turkish government ministries, and major retail conglomerates. Attackers targeted these entities knowing that even a small number of valid logins especially in organizations lacking multi-factor authentication (MFA) could provide initial access. The attack infrastructure further raised concerns, as the source IP was traced to a compromised Fortinet FortiGate-60E firewall with open ports and a self-signed SSL certificate. This indicated attackers were routing traffic through hijacked network devices to target other edge systems, blending stolen credentials with compromised infrastructure. Researchers described the attack as part of a "Log-to-Lead" pipeline, an industrialized process where infostealer malware logs are aggregated, filtered by corporate domain, and sold to Initial Access Brokers on dark web marketplaces. Attackers then purchase these credential packages and use them in large-scale stuffing attacks until they gain access. The campaign underscores a critical shift in cyber threats: identity as the new perimeter. Since devices like F5 BIG-IP often accept the same credentials used for internal systems, a single stolen ADFS password could unlock VPNs, SSO portals, or remote access gateways effectively allowing attackers to bypass traditional security measures.

Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Security firm Defused Cyber analyzed 70 unique email-password pairs used in the attacks, finding that 77% (54 credentials) matched data from Infostealer infections malware like RedLine, Raccoon, and Vidar that harvests browser-saved logins from compromised employee devices. The attacks, first detected by Defused Cyber’s honeypots, involved malicious authentication attempts from a Japanese IP (219.75.254.166, AS17511, OPTAGE Inc.). Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse. The campaign highlights an industrialized "log-to-lead" pipeline: 1. Infection: Employees’ devices are compromised by Infostealers, which exfiltrate stored credentials. 2. Marketplace: Stolen logs are sold on underground forums to Initial Access Brokers (IABs). 3. Front-Door Bypass: Attackers use valid credentials to access corporate systems like F5 BIG-IP, leveraging their role in authentication. 4. Network Compromise: Legitimate logins grant direct access, bypassing traditional security measures. Compromised credentials linked to high-profile organizations were identified, including Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Belgian and Queensland Police, Majid Al Futtaim, Cellebrite, Doka, and Turkey’s Ministry of Trade. The attacks cast a wide net, relying on volume to exploit gaps in MFA or user fatigue. Further investigation revealed the attacks originated from a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc., exposing open ports (541/tcp, 10443/tcp) with a self-signed SSL certificate. This indicates attackers are hijacking network edge devices to launch assaults, turning one organization’s infrastructure into an attack proxy for another. The campaign underscores a shift in cybercriminal tactics from exploiting vulnerabilities to abusing legitimate authentication emphasizing the growing threat of identity-based attacks.