Back to All Insights Subscribe on Substack

3D Printing Cyber: The AI Phase of Offense Industrialization

Published on

At 2,747 words, this post will take 11 minutes to read.

A 3D printer with a hazard sign and melting plastic on an extruder table.

On February 20, 2026, CJ Moses, CISO of Amazon, published findings from Amazon Threat Intelligence describing a campaign that should reframe how we think about cyber offense. A Russian-speaking, financially motivated threat actor used commercial generative AI services to compromise over 600 FortiGate firewall appliances across more than 55 countries between January 11 and February 18, 2026. The campaign involved no zero-days, no exploit development, and no team that we know of. The actor scanned internet-facing management interfaces, tried common credentials against single-factor authentication, and let AI handle the rest.

Moses called it “an AI-powered assembly line for cybercrime, helping less skilled workers produce at scale.”

The assembly line metaphor is dead on.

I’ve spent the past year exploring how offense industrialized. How the Chinese cyber ecosystem grew into a manufacturing supply chain of specialized firms, each perfecting one phase of the kill chain and scaling operations the way Toyota scaled automobile production. That framework describes what happened over the past decade. This campaign opens a window into what will happen next.

The assembly line just got compressed into a single workstation. And the operator doesn’t need to understand how the factory works.

What Happened

Amazon Threat Intelligence discovered the campaign through routine operations. The actor scanned FortiGate management interfaces exposed on ports 443, 8443, 10443, and 4443 across the open internet, then attempted authentication with commonly reused credentials. Just the digital equivalent of checking which doors are unlocked, executed at a speed no human team could match without automation.

FortiGate configuration files are high-value targets for a specific reason. They contain SSL-VPN user credentials with recoverable passwords, administrative credentials, complete network topology, firewall policies revealing internal architecture, and IPsec VPN peer configurations. A single config file hands an attacker the blueprint of an entire network along with the keys to walk through it. The actor developed AI-assisted Python scripts to parse, decrypt, and organize these stolen configurations.

Then the operation escalated. After establishing VPN access to victim networks, the actor deployed AI-generated reconnaissance tools that automated the post-exploitation workflow: ingesting target networks from VPN routing tables, running service discovery with open-source scanners, identifying domain controllers, and producing prioritized target lists. Inside victim networks, Meterpreter with the mimikatz module performed DCSync attacks against domain controllers, extracting complete NTLM password hash databases from Active Directory. In at least one case, the Domain Administrator account used a plaintext password extracted directly from the FortiGate configuration. That’s password reuse connecting the perimeter device to the keys of the kingdom.

The actor then targeted Veeam Backup & Replication servers, the pre-ransomware playbook. Rapid7 reported that over 20% of their 2024 incident response cases involved Veeam access or exploitation. Compromise backups first, encrypt second. Amazon’s analysis confirmed no ransomware deployment, although the actor’s operational notes documented the intent to. They were building toward it.

Notably, when the actor encountered hardened environments, they moved on. Things like patched services, closed ports, MFA enabled forced the actor to switch targets. The actor’s own operational assessment for one confirmed victim acknowledged that key infrastructure targets were “well-protected” with “no vulnerable exploitation vectors.”

The Exposed Server

We know all of this because the actor’s operational security collapsed.

The server at 212[.]11.64.250, port 9999, hosted on a Swiss autonomous system, contained 1,402 files across 139 subdirectories; CVE exploit code; FortiGate configuration files from victims; Nuclei scanning templates; Veeam credential extraction tools; BloodHound collection data mapping Active Directory relationships; AI-generated attack plans with step-by-step exploitation instructions, expected success rates, time estimates, and prioritized task trees; Source code for every custom tool in the operation; Victim network topologies with confirmed credentials, identified services, and recommended lateral movement paths.

Everything. On a public server. Without encryption. Talk about a noob.

This level of exposure rarely (never) happens with professional operations. State-sponsored campaigns compartmentalize by design. Organized cybercrime groups enforce operational discipline through organizational hierarchy. This actor had neither structure nor discipline, and that absence explains both why we can study this campaign in such detail and why the operational model itself carries a structural vulnerability.

But the exposure also serves a different analytical function. We know this campaign existed because the operator was careless. The infrastructure that Amazon Threat Intelligence discovered represents one data point, the visible one. The question that should sit with every reader is, “How many similar campaigns run right now with better hygiene?”

The Factory and the 3D Printer

I’ve written previously about how the Chinese cyber ecosystem industrialized through organizational specialization. Companies now provide discrete kill chain services. One firm handles reconnaissance. Another brokers initial access. A third provides command infrastructure. A fourth manages exfiltration. Each perfects one phase and sells it as a service. The ecosystem scales horizontally, like a manufacturing supply chain producing custom goods at commodity speed. Attribution fragments along organizational boundaries. When reconnaissance happens in one company, weaponization in another, and C2 in a third, defenders can’t trace a full campaign to a single actor.

That’s the factory. Organizational specialization. Distributed production. A decade of institutional development.

This campaign built a 3D printer.

One actor performed six distinct industrial functions: reconnaissance and scanning, tool development, credential extraction and parsing, infrastructure management, attack planning, and post-exploitation. AI substituted for specialized teams at each phase. The actor used at least two distinct commercial LLM providers throughout operations. Amazon Threat Intelligence identified one model serving as the primary tool developer, attack planner, and operational assistant, with a second used as a supplementary attack planner when the actor needed help pivoting within specific compromised networks.

Independent analysis by Cyber and Ramen identified the specific models. DeepSeek generated attack plans from reconnaissance data. The actor configured Claude Code, Anthropic’s coding agent, for autonomous execution of offensive tools. The actor built a custom tool called ARXON, a Model Context Protocol (MCP) server that bridged stolen recon data and commercial language models. ARXON ingested per-target reconnaissance, called DeepSeek to generate structured attack plans, and stored results in a persistent knowledge base that grew with each compromised target. It also contained scripts for batch SSH-based FortiGate VPN account creation, user provisioning, and automated Domain Admin credential validation.

The actor started with HexStrike, an open-source MCP framework released in 2025 that wraps 150+ security tools with MCP decorators so AI agents can invoke them autonomously. Within approximately eight weeks, the actor graduated to ARXON, a custom orchestration platform. Consumer to builder. Two months.

The factory, the Chinese ecosystem model, distributes production across organizational boundaries. Each firm holds one piece of the operation. Compromising one firm reveals one phase. The organizational structure creates resilience through compartmentalization.

The 3D printer concentrates everything in a single node. One server held 1,402 files documenting the entire operation. The actor’s OPSEC failure was architectural. When you compress the supply chain into one workstation, you compress the failure surface into one workstation. The Toyota model distributes risk. The 3D printer concentrates it.

Both models produce. They produce differently.

The factory retains its advantage on hard targets. The precision operations that demand persistent access, custom exploit development, deep institutional knowledge of specific victim environments. The kind of work that requires the human expertise AI can’t replicate. ShadowPad campaigns spanning 70+ organizations across nine months require coordination, institutional memory, and operational discipline that a solo AI-augmented actor demonstrably lacks.

The 3D printer floods the market with volume against soft targets. Six hundred devices, 55 countries, five weeks, one operator. The quality per unit is lower. The tooling shatters under edge cases. The actor can’t compile custom exploits, debug failed attempts, or creatively pivot when standard approaches fail. But volume compensates for selectivity. The threat model shifts from “sophisticated actor persists against your defenses” to “automated industrial process sorts you into a category and processes accordingly.”

And the timeline between these two models compresses at alarming speed. In September 2025, Anthropic disclosed that a Chinese state-sponsored group (tracked as GTG-1002) had manipulated Claude Code into functioning as an autonomous cyber attack agent, executing 80-90% of tactical operations independently across roughly 30 targets globally. That was a state-sponsored operation with institutional resources. Three months later, in January 2026, a financially motivated individual replicated the conceptual model with commercial tools and API keys.

The capability transfer from nation-state to solo operator used to take years. GTG-1002 to this campaign was twelve weeks.

The Raw Material Problem

The campaign succeeded because the raw material existed in abundance.

FortiGate appliances have weathered an 18-month siege of vulnerability disclosures and mass exploitation campaigns. The timeline matters because it explains where this actor’s starting inventory came from.

October 2022: CVE-2022-40684, a critical authentication bypass zero-day, was exploited in the wild. Attackers harvested configuration files from approximately 15,000 devices. January 2025: a group calling itself Belsen Group dumped those 15,000 configurations on the dark web for free, as a promotional move to establish reputation. Plaintext VPN credentials included. Censys confirmed that 54.75% of affected IP addresses remained online and reachable. Nearly a third still exposed the compromised FortiGate login interfaces.

The supply kept growing. Four more critical Fortinet vulnerabilities followed between January 2025 and January 2026, each adding to the stockpile, including one that worked on fully patched devices. The supply of exploitable starting material expanded faster than organizations rotated credentials. This campaign processed that stockpile at industrial speed.

A deeper architectural question sits underneath the vulnerability timeline. At this stage in the long evolution of security architecture, we need to accept that SSL VPNs are just a terrible idea and should be eradicated with extreme prejudice.

SSL VPN technology manufactures portable credential packages. A FortiGate configuration file contains recoverable plaintext passwords, complete network topology, routing information, and VPN peer configurations. This is everything an attacker needs to map, enter, and navigate a network, bundled into one extractable artifact. ARXON ingested these artifacts. DeepSeek produced attack plans from them. The architecture generated the input. AI processed it. Scale followed automatically.

Norway’s National Cyber Security Centre mandated SSL VPN replacement by end of 2025, and mandated that critical infrastructure transition by end of 2024, a directive that followed state-backed actors exploiting zero-days in SSL VPN products targeting Norwegian infrastructure. SonicWall announced it will remove all SSL VPN licenses and support after October 2025. Zscaler’s 2025 VPN Risk Report found 56% of organizations reported VPN-related breaches in the past year. NIST cataloged 83 VPN CVEs in 2024 alone, 60% scoring high or critical.

The migration argument moves from “best practice” to something more concrete. If you’re using an SSL VPN, your architecture produces raw material for automated exploitation. The organizations that can afford ZTNA migration will complete it. The organizations that can’t (the mid-market companies across South Asia, Latin America, and West Africa that populate this campaign’s victim list) remain inventory for the next assembly line.

The haves. And the have-nots.

The IOC Problem Strikes Back

Moses published two IPv4 indicators of compromise in his report. He also wrote, in the same report, that “traditional IOC-based detection has limited effectiveness” because the actor used legitimate open-source tools (Impacket, gogo, Nuclei, Meterpreter) present in every penetration testing engagement.

He shared the indicators. Then he told you they won’t help.

This paradox sits at the center of a structural failure in threat intelligence I’ve written about previously. The median C2 server lives five days. The average shared indicator arrives 33 days later. The indicator expires before it arrives.

This campaign adds a new dimension. The operationally useful intelligence (ARXON’s MCP architecture, the two-model workflow, behavioral patterns of AI-orchestrated lateral movement, detection opportunities like anomalous VPN geo-patterns and unexpected DCSync operations) fits into no existing sharing format.

You can encode two IP addresses in STIX and distribute them via TAXII. You cannot encode “the attacker submitted complete victim network topology to a commercial LLM and received a prioritized exploitation plan” in a machine-readable format that another organization can operationalize. The intelligence that’s sharable in current formats is already dead or dying. The intelligence that matters has no transport standard or mechanism to even exist.

The clearing house for behavioral intelligence exchange, for TTP-centric, context-rich, time-bounded intelligence that routes to the right consumer, still doesn’t exist. The platforms that host threat intelligence feeds built their economics on IOC volume. The ISACs that coordinate sector defense built their workflows on indicator distribution. The government bulletins that inform defensive priorities still circulate hashes and domains as their primary unit of cooperation.

All of it transacts in a currency that buys less each quarter. This campaign’s two IP addresses are the latest denomination.

The Two-Tier Landscape Hardens

The actor’s operational notes recovered from the exposed server record repeated failures against hardened environments.

Targeted services: patched. Required ports: closed. Vulnerabilities: didn’t apply to the target OS versions. The actor’s final assessment for one confirmed victim: key infrastructure targets “well-protected” with “no vulnerable exploitation vectors.”

Each adversary failure traces to a basic defensive control that is a well-known and recommended minimum baseline. MFA on VPN access. Management interfaces pulled off the internet. Credentials rotated after the Belsen Group dump. Backup infrastructure segmented. Veeam servers patched.

Fundamentals. All of them. The problem is distribution.

The organizations this campaign hit cluster across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. Managed service providers running shared FortiGate deployments. Organizations where multiple devices shared non-standard management ports. This is an example of centralized administration without centralized security. Environments where a Domain Administrator password matched the SSL-VPN credential the actor pulled from a firewall config file.

I spent a week in Taipei in December 2025 discussing digital resilience with government officials and critical infrastructure operators. Taiwan’s small and medium enterprises form the backbone of the economy. Many lack IT departments. Some lack IT administrators entirely. They hire an engineer to configure email, purchase a firewall appliance, and hope for the best. The threat ecosystem industrialized to exploit these organizations as soft entry points into supply chains connecting to larger targets.

This campaign processed them at industrial speed. The controls that work against these campaigns are known. But they’re cheap to describe. Expensive to deploy for the organizations that need them most.

The gap between resourced defenders and everyone else widens quarter by quarter. Organizations with behavioral baselines, deployed MFA, segmented networks, and audited management interfaces survived this campaign without incident. An automated process running on commercial AI sorted organizations without these fundamentals into the soft-target category.

Defense-as-infrastructure (composable, standardized, horizontally scalable security that deploys without requiring bespoke expertise or dedicated security teams) remains the market gap. The AWS of cyber defense. I’ve written about this need in the context of Taiwan’s digital resilience challenges and the broader failure of the IOC-sharing economy to protect the organizations consuming stale indicator feeds.

This campaign amplifies the demand signal. Nobody has built it yet.

The Question Underneath

The analytical frameworks that have organized cybersecurity thinking for fifteen years assume capability correlates with organizational resources. Advanced Persistent Threat groups possess advanced capabilities because they command state-sponsored budgets, institutional expertise, and organizational depth. Financially motivated criminals operate at lower sophistication because they lack those resources. The taxonomy (APT versus cybercrime, nation-state versus criminal, sophisticated versus commodity) rests on that correlation.

The correlation is broke.

A financially motivated individual (maybe small team) with commercial AI access just compromised 600+ devices across 55 countries, extracted complete Active Directory credential databases, and positioned for ransomware deployment against backup infrastructure. The techniques mirror state-sponsored operations. The organizational resources amount to a laptop and API keys.

AI compresses the offense supply chain from ecosystem to individual. The factory still runs. The Chinese ecosystem’s organizational model retains its advantage on hard targets. But the commodity operations face radical democratization. The 3D printer produces at lower quality than the factory. The operator can’t debug failed exploits, can’t compile custom tooling, can’t creatively adapt when conditions diverge from the AI-generated plan. When this actor hit a wall, they moved on.

The only reason we can study this campaign in the detail Amazon published is because the operator stored everything on a public server without encryption. A competent operator running the same model with basic infrastructure hygiene produces no exposed Zurich server. The victims discover the compromise through ransomware deployment. Or they don’t discover it at all.

That’s the campaign worth thinking about. The one that learned from this actor’s mistakes. The invisible assembly line, operated by one, running on commercial AI, processing soft targets at industrial speed with competent operational security.

How many are running right now? And how do we defeat them?