Infostealer Malware Drives Large-Scale Brute-Force Attacks on Corporate SSO Gateways
A recent surge in credential stuffing attacks has unveiled a concerning trend: cybercriminals are infiltrating corporate networks not by exploiting software vulnerabilities but by utilizing stolen credentials to gain unauthorized access. Central to this development are infostealer malware families that discreetly collect login information from compromised employee devices and employ these credentials in brute-force attacks against corporate Single Sign-On (SSO) gateways, with a particular focus on F5 BIG-IP interfaces.
This activity came to public attention on February 23, 2026, when the threat intelligence group Defused Cyber identified a significant credential stuffing campaign targeting F5 devices. Their honeypots recorded numerous POST requests originating from a single IP address—219.75.254.166, registered to OPTAGE Inc. in Japan—where the attacker systematically tested corporate email and password combinations.
What set this attack apart was its precision: the credentials appeared to be legitimate, corresponding to employees of large multinational corporations and government agencies. Upon further analysis, 54 out of 70 unique email-and-password pairs used in the attack matched known infostealer infection logs, indicating a match rate exceeding 77%. This suggests that the credentials were not obtained from a traditional data breach but were harvested from devices infected with infostealer malware. These stolen credentials were then repurposed to target external infrastructures, including Active Directory Federation Services (ADFS), Security Token Services (STS), and Outlook Web Access (OWA) portals, marking a shift from mere data theft to coordinated network intrusions.
The breadth of affected organizations is alarming. Employee credentials from companies such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, and Queensland Police were identified in the attack payload. Additionally, staff from Turkish government ministries and major retail conglomerates were also targeted. Attackers employed a broad strategy, understanding that even a few valid logins could provide a foothold in organizations lacking robust multi-factor authentication measures.
Further investigation into the attack infrastructure revealed that the source IP was linked to a compromised Fortinet FortiGate-60E firewall from OPTAGE Inc. in Japan. This device had open ports 541/tcp and 10443/tcp and utilized a self-signed SSL certificate. This indicates that attackers were routing their traffic through a hijacked edge device to target other edge devices, combining stolen identities with compromised network infrastructure in a dual-threat approach that is challenging to detect.
The Log-to-Lead Pipeline: Identity as the New Perimeter
A critical aspect of this campaign is what researchers term the Log-to-Lead pipeline—an industrialized process that transforms raw infostealer infection data into corporate network access within days. When an employee’s device is infected, the malware silently extracts all browser-saved credentials, including SSO and ADFS master passwords. These logs are then aggregated, filtered by corporate domain, and sold to Initial Access Brokers on dark web marketplaces.
Attackers purchase these credential packages and systematically test them against corporate edge devices until they gain access. This method exploits the concept of functional equivalence, where devices like F5 BIG-IP are configured to accept the same master credentials used for Windows logins and internal portals. Thus, obtaining an ADFS password from an infostealer log can potentially unlock a VPN, SSO portal, or remote access gateway. In this scenario, the attacker isn’t exploiting a software flaw but is effectively using a stolen key to access the system, making identity the new perimeter.
Defensive Measures Against Infostealer-Driven Attacks
To mitigate this evolving threat, organizations should implement the following measures:
1. Enforce Phishing-Resistant Multi-Factor Authentication (MFA): Apply MFA across all edge devices and SSO portals to add an additional layer of security beyond passwords.
2. Monitor for Exposed Credentials: Utilize dark web and cybercrime intelligence feeds to detect and respond to compromised employee credentials before they can be exploited in credential stuffing campaigns.
3. Eliminate Password Reuse: Establish policies that prevent the reuse of passwords across internal systems to reduce the risk of widespread access if one set of credentials is compromised.
4. Enhance Endpoint Security: Deploy security controls capable of detecting and mitigating infostealer infections on employee devices, preventing harvested credentials from reaching dark web marketplaces.
5. Educate Employees: Train staff on the risks associated with saving passwords in browsers and promote the use of secure password management practices.
By adopting these strategies, organizations can strengthen their defenses against the sophisticated tactics employed by cybercriminals leveraging infostealer malware to conduct large-scale brute-force attacks on corporate SSO gateways.
