Listen to this Post
Introduction
A dangerous new cyberattack campaign has exposed how trusted enterprise management platforms can become powerful weapons in the hands of threat actors. Security researchers at Arctic Wolf
uncovered an active exploitation operation targeting organizations using Fortinet
FortiClient Endpoint Management Server (EMS). The attackers abused a critical vulnerability identified as CVE-2026-35616 to silently distribute a sophisticated credential-stealing malware named EKZ Infostealer across managed corporate endpoints.
What makes this campaign especially alarming is the method used. Instead of compromising endpoints individually, attackers hijacked the trusted administrative infrastructure itself. By abusing legitimate EMS workflows, they transformed enterprise security management into a malware delivery mechanism capable of infecting hundreds of systems simultaneously without raising immediate suspicion.
Vulnerability Opens the Door to Enterprise-Wide Compromise
The attack revolves around CVE-2026-35616, an improper access control vulnerability affecting FortiClient EMS. The flaw allows unauthenticated attackers to bypass API authentication using specially crafted HTTP requests. Once successful, attackers gain access to privileged EMS functions as though they were legitimate administrators.
The vulnerability was reportedly disclosed to Fortinet on March 31, 2026, after researchers observed active exploitation attempts in real-world environments. The flaw effectively handed attackers administrative-level influence over endpoint policies and remote access configurations.
Trusted EMS Features Turned Into Malware Delivery Channels
After gaining access, threat actors altered Remote Access Profile settings and endpoint policies within FortiClient EMS. They specifically abused the “on_connect” scripting functionality used by VPN tunnels.
This legitimate feature normally helps administrators automate actions whenever endpoints establish VPN connections. However, in this campaign, attackers weaponized the capability to distribute malicious scripts directly to managed devices.
As soon as endpoints initiated IPsec tunnels, FortiClient components automatically launched malicious CMD scripts stored inside Fortinet’s own VPN logging directory:
C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts{GUID}.cmd
The attack chain appeared highly coordinated and stealthy because the malicious scripts executed through legitimate Fortinet processes. Victim machines therefore viewed the activity as trusted administrative automation instead of suspicious malware behavior.
PowerShell Payload Delivery Executed Silently
The malicious CMD files executed Base64-encoded PowerShell commands designed to fetch malware from an attacker-controlled server hosted at 83[.]138[.]53[.]110.
The downloaded executable was disguised as a legitimate update utility named FortiEndpoint_Patch.exe. Despite its convincing filename, the executable was actually the newly identified EKZ Infostealer.
Researchers observed the following execution chain during infections:
fortitray.exe → oripsec.exe → cmd.exe → powershell.exe → FortiEndpoint_Patch.exe
This sequence demonstrates how attackers carefully leveraged trusted Windows and Fortinet processes to minimize detection opportunities and blend malicious behavior into normal enterprise activity.
EKZ Infostealer Targets Browsers and Sensitive Data
EKZ Infostealer was compiled using MinGW and appears specifically engineered for credential harvesting operations. The malware focuses heavily on extracting sensitive browser data from Chromium-based and Gecko-based browsers.
Affected browsers include:
Google Chrome
Microsoft Edge
Mozilla Firefox
Other Chromium derivatives
Gecko-based browsers
For Chromium browsers, EKZ bypasses Chrome’s modern AES-256 v20 encryption protections using a highly advanced technique. The malware copies itself into the browser’s Application directory and abuses the Chromium Elevation Service through IElevator::DecryptData.
This method allows attackers to decrypt stored browser credentials without triggering standard security protections.
For Firefox-based browsers, the malware dynamically loads nss3.dll to extract data from:
key4.db
logins.json
cookies.sqlite
The malware collects passwords, autofill information, session cookies, saved addresses, and even credit card data.
Session Cookies Create Severe MFA Bypass Risks
One of the most dangerous aspects of this campaign is the theft of session cookies. Unlike passwords alone, session cookies may allow attackers to hijack authenticated sessions without needing to re-enter credentials or complete multi-factor authentication challenges.
This creates a serious risk for organizations relying heavily on cloud services and SaaS platforms protected by MFA. Attackers could potentially gain access to:
Microsoft 365 accounts
VPN portals
Internal enterprise dashboards
Cloud infrastructure platforms
Financial systems
Collaboration tools
The stolen data was reportedly written into a log.txt file located inside the ProgramData directory before being exfiltrated via HTTP POST requests to the attacker-controlled VPS infrastructure.
Indicators of Compromise Identified
Researchers identified several indicators associated with the campaign, including malicious IP addresses and payload hashes.
Known indicators include:
83[.]138[.]53[.]110 as the malware hosting server
185[.]220[.]101[.]15 identified as a Tor exit node
192[.]42[.]116[.]14 identified as another Tor exit node
FortiEndpoint_Patch.exe SHA-256 hash linked to EKZ Infostealer
hxxp://83.138.53[.]110/dl/p.exe as the payload delivery URL
The indicators were intentionally defanged to prevent accidental execution or hyperlink activation.
Recommended Mitigation Steps for Organizations
Organizations running vulnerable FortiClient EMS versions should immediately upgrade to patched releases provided by Fortinet.
Additional mitigation steps include:
Restrict EMS management port 8013 access to trusted IP ranges only
Audit Remote Access Profiles for unauthorized scripting modifications
Review endpoint policy changes for suspicious insertions
Hunt for the log entry: Certificate not found in request header
Monitor PowerShell activity spawned by Fortinet processes
Inspect outbound traffic to suspicious IP addresses
Isolate affected endpoints immediately if compromise is suspected
Security teams should also review browser credential hygiene practices because the malware specifically targets locally stored passwords and session data.
Deep Analysis
Enterprise Management Platforms Are Becoming Prime Targets
This campaign highlights a growing trend in modern cyberattacks: compromising centralized management infrastructure instead of individual endpoints. Attackers increasingly recognize that enterprise tools like EMS, RMM platforms, and patch management systems already possess elevated trust and privileged access across networks.
By compromising one administrative layer, attackers can scale infections dramatically faster than traditional phishing or manual lateral movement campaigns.
Trusted Security Software Is Becoming a Double-Edged Sword
Security products inherently operate with high privileges. Endpoint management solutions, antivirus tools, and VPN clients often execute trusted scripts, install updates, and modify system configurations silently.
Threat actors understand this advantage. When they compromise these platforms, defenders face a difficult challenge because malicious behavior appears nearly identical to legitimate administrative actions.
This attack demonstrates how dangerous it becomes when enterprise trust chains are broken.
Abuse of Legitimate Features Is Increasing
The attackers did not rely on noisy exploit payloads or destructive ransomware deployment techniques. Instead, they abused legitimate EMS scripting functionality already built into the product.
This “living off trusted infrastructure” approach is becoming increasingly common because it significantly reduces detection rates. Many EDR systems focus on suspicious binaries but struggle when malware deployment occurs through approved enterprise management channels.
Browser Credential Theft Remains Extremely Valuable
Despite years of security awareness campaigns, browser-stored credentials continue to be one of the highest-value targets for attackers.
Modern browsers store:
Passwords
Session tokens
Payment information
Saved addresses
Authentication cookies
The ability to bypass Chromium encryption using elevation service abuse demonstrates how advanced infostealer malware has evolved beyond basic credential dumping.
Attackers no longer need kernel exploits when browser ecosystems themselves expose privileged decryption pathways.
Session Hijacking Is More Dangerous Than Password Theft
Passwords can be reset. Session cookies are often harder to detect after compromise.
Many organizations still underestimate the impact of stolen browser sessions. Attackers who steal active authentication cookies may bypass MFA entirely and operate inside trusted sessions without triggering login alerts.
This technique has become increasingly common among sophisticated cybercriminal groups targeting cloud environments.
Fortinet Infrastructure Continues to Attract Attackers
Fortinet products remain frequent targets because they are heavily deployed across enterprise networks worldwide. VPN appliances, EMS servers, and firewall infrastructure often sit at the center of corporate connectivity.
A vulnerability affecting centralized Fortinet management systems therefore provides enormous operational value for attackers seeking large-scale compromise opportunities.
PowerShell Remains a Favorite Post-Exploitation Tool
Even in 2026, PowerShell continues to appear in enterprise attack chains. Its flexibility, deep Windows integration, and administrative legitimacy make it extremely attractive for malicious automation.
Organizations that still lack strong PowerShell monitoring remain vulnerable to stealthy fileless execution techniques similar to those observed in this campaign.
The Campaign Shows Signs of Professional Development
EKZ Infostealer appears professionally engineered rather than opportunistic malware. The use of Chromium Elevation Service abuse, Firefox NSS extraction, Tor infrastructure, and stealth deployment through EMS strongly suggests experienced operators.
This level of sophistication indicates the malware may evolve further or become part of broader enterprise-focused intrusion campaigns in the near future.
Defensive Monitoring Must Evolve Beyond Malware Signatures
Traditional antivirus signatures alone are insufficient against attacks that abuse legitimate enterprise tooling.
Modern defenders need:
Behavioral analytics
Script execution monitoring
Administrative workflow auditing
Session anomaly detection
Browser credential protection policies
Security visibility into endpoint management platforms themselves is now just as important as visibility into endpoints.
Commands and Codes Related to
PowerShell process monitoring:
Get-WinEvent -LogName Security | findstr powershell
Check suspicious Fortinet script directories:
dir "C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts"
Detect suspicious outbound connections:
netstat -ano
Hunt for EMS exploitation indicators:
Select-String -Path .log -Pattern "Certificate not found in request header"
Block malicious IP temporarily via Windows Firewall:
New-NetFirewallRule -DisplayName "Block EKZ IOC" -Direction Outbound -RemoteAddress 83.138.53.110 -Action Block What Undercode Say: Centralized Endpoint Management Is Now a High-Risk Attack Surface
The FortiClient EMS exploitation campaign is another reminder that centralized management systems have become some of the most attractive targets in enterprise environments. Attackers no longer need to compromise endpoints one by one when they can abuse trusted infrastructure that already controls thousands of devices simultaneously.
This fundamentally changes the threat landscape.
Silent Enterprise-Wide Malware Deployment Is a Nightmare Scenario
Traditional malware outbreaks usually leave traces during lateral movement, privilege escalation, or phishing operations. In this case, the attackers used the organization’s own endpoint management platform to distribute malware automatically.
That creates a nightmare scenario for defenders because infected endpoints may interpret malicious activity as legitimate administrative tasks.
Security Products Require Security Oversight Too
Many organizations trust endpoint management systems implicitly and rarely audit policy changes or automation workflows in detail. This campaign proves that even security software itself requires continuous monitoring and strict access controls.
Defensive teams should treat EMS platforms with the same sensitivity as domain controllers or identity infrastructure.
Browser Data Has Become More Valuable Than Files
Infostealers are increasingly prioritizing browser data over traditional document theft. Session cookies, autofill data, authentication tokens, and saved passwords can provide attackers with immediate operational access to cloud services.
In many cases, stealing browser sessions is faster and more profitable than deploying ransomware.
Cloud Security Depends on Endpoint Integrity
Many enterprises focus heavily on cloud-side protections but overlook the reality that authenticated cloud sessions originate from endpoints.
If endpoints are compromised, even advanced cloud security models become vulnerable. Session hijacking completely undermines MFA protections when attackers inherit already-authenticated sessions.
Threat Actors Are Becoming More Operationally Efficient
The attack chain used in this campaign reflects operational maturity. Instead of noisy ransomware deployment or destructive payloads, the attackers prioritized stealth, scalability, and credential harvesting.
That approach aligns with financially motivated threat groups seeking long-term access rather than immediate disruption.
Fortinet Administrators Should Review EMS Configurations Immediately
Organizations using FortiClient EMS should urgently review scripting configurations, remote access policies, and administrative logs. Even environments that appear stable may already contain malicious policy modifications waiting to execute.
Living-Off-The-Land Techniques Continue to Expand
Attackers increasingly rely on trusted enterprise binaries and legitimate workflows to avoid detection. This trend will likely continue growing as EDR technologies become better at identifying standalone malware binaries.
Future attacks may abuse automation systems even more aggressively.
Browser Encryption Is Not a Complete Defense
Many administrators assume browser-stored credentials are safe because modern browsers encrypt them locally. However, advanced malware continues finding methods to access decryption APIs legitimately through operating system services.
Security teams should reduce dependency on browser-based password storage whenever possible.
Detection Engineering Must Include Administrative Workflow Monitoring
This campaign demonstrates why defenders need monitoring strategies focused on configuration changes, policy updates, and unusual administrative actions.
Watching only for malware binaries is no longer enough.
Fact Checker Results
✅ Arctic Wolf reportedly identified active exploitation of CVE-2026-35616 targeting FortiClient EMS infrastructures.
✅ EKZ Infostealer was described as targeting Chromium and Firefox-based browser credential stores using advanced extraction methods.
❌ There is currently no public evidence confirming how many organizations were ultimately compromised during the campaign.
Prediction
🔮 Enterprise management platforms will become one of the most targeted attack surfaces over the next few years as attackers pursue scalable compromise methods.
🔮 Future infostealers will increasingly focus on session hijacking and cloud authentication token theft instead of relying only on password extraction.
🔮 Security vendors will likely introduce stricter policy auditing and script execution controls inside endpoint management platforms following incidents like this one.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
