The shift from initial access via credential reuse to repurposing firewalls as persistent credential-harvesting nodes creates a compounding risk where compromised perimeter devices actively expand the attack surface. This self-feeding pipeline suggests defenders must treat any anomalous authentication success on a firewall not just as a breach, but as a potential indicator of an automated botnet expanding its foothold.