Skip to content
.ca
sign in
6 mincritical

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

Threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient EMS, to deploy a novel credential stealer named EKZ Infostealer to managed endpoints. The attackers abused legitimate VPN scripting workflows to execute malicious PowerShell commands that downloaded the stealer, which subsequently harvested browser credentials and exfiltrated them to a threat-actor-controlled server.

Sens:ImmediateConf:highAnalyzed:2026-05-27Google

Authors: Arctic Wolf Labs

ActorsEKZ Infostealer
CVE-2026-35616BYOVDCredential TheftEKZ InfostealerFortiClient EMS

Source:Arctic Wolf

IOCs · 13

Detection / HunterGoogle

What Happened

Cybercriminals exploited a security flaw in Fortinet's FortiClient Endpoint Management Server (EMS) to secretly install password-stealing software on employee computers. The attackers disguised their malicious program as a legitimate Fortinet software update, allowing them to steal saved passwords, cookies, and autofill data from web browsers like Chrome and Firefox. This stolen information could lead to further unauthorized access to company systems. Organizations using FortiClient EMS should immediately update to a fixed version and restrict access to the management interface.

Key Takeaways

  • Threat actors exploited CVE-2026-35616 in FortiClient EMS to push malicious scripts to managed endpoints via trusted management channels.
  • The campaign delivered a novel credential stealer named EKZ Infostealer, disguised as a Fortinet patch.
  • EKZ Infostealer extracts credentials from Chromium and Firefox browsers, utilizing techniques to bypass Chromium's AES-256 master key encryption.
  • The malware stages harvested data in a local text file before a PowerShell script exfiltrates it via HTTP POST and deletes the local artifacts.

Affected Systems

  • FortiClient EMS
  • Windows endpoints managed by FortiClient
  • Chromium-based browsers (Chrome, Edge)
  • Firefox/Gecko-based browsers

Vulnerabilities (CVEs)

  • CVE-2026-35616

Attack Chain

Threat actors exploit CVE-2026-35616 to bypass authentication on FortiClient EMS and modify the Remote Access Profile. When managed endpoints establish a VPN connection, the modified profile triggers fortitray.exe or ipsec.exe to launch a .cmd script. This script executes a base64-encoded PowerShell command that downloads the EKZ Infostealer payload (FortiEndpoint_Patch.exe) from a remote server. The stealer harvests browser credentials to a local text file, which the PowerShell script then exfiltrates via HTTP POST before deleting the local artifacts.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides behavioral detection guidance and IOCs, but does not include ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily capture the suspicious process lineage (fortitray.exe -> cmd.exe -> powershell.exe), file drops in C:\ProgramData, and network connections made by PowerShell. Network Visibility: Medium — Network sensors can detect the HTTP GET and POST requests to the hardcoded IP address, but the initial EMS exploitation might be encrypted or blend with legitimate management traffic. Detection Difficulty: Moderate — While the process lineage and hardcoded IPs are highly anomalous and easy to detect, the initial exploitation leverages trusted management channels, which might bypass some perimeter defenses.

Required Log Sources

  • EDR Process Execution Logs
  • FortiClient EMS Audit Logs
  • Network Proxy/Firewall Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for cmd.exe or powershell.exe spawned as child processes of fortitray.exe or ipsec.exe.EDR Process Execution LogsExecutionLow
Consider hunting for PowerShell scripts reading files named log.txt from C:\ProgramData and subsequently making HTTP POST requests.EDR Process Execution Logs, Network LogsExfiltrationLow
If you have visibility into FortiClient EMS logs, consider hunting for the string 'Certificate not found in request header' followed closely by successful update messages.FortiClient EMS Application LogsInitial AccessMedium

Control Gaps

  • Lack of network segmentation for EMS management ports
  • Implicit trust in endpoint management software execution

Key Behavioral Indicators

  • Process tree: fortitray.exe -> cmd.exe -> powershell.exe
  • Creation and rapid deletion of executable and text files in C:\ProgramData
  • Direct IP HTTP connections from PowerShell

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • If applicable, upgrade FortiClient EMS deployments to a fixed version that addresses CVE-2026-35616.
  • Consider reviewing FortiClient EMS audit logs for unauthorized configuration changes, particularly to Remote Access Profiles.

Infrastructure Hardening

  • Evaluate whether network access to the FortiClient EMS management port (8013) can be restricted to trusted IP ranges only.
  • Consider implementing network segmentation to isolate management infrastructure from general user networks.

User Protection

  • If your EDR supports it, consider implementing rules to block or alert on suspicious child processes spawned by FortiClient components.
  • Evaluate whether session lifetimes for critical applications can be reduced to mitigate the risk of stolen cookie reuse.

Security Awareness

  • Consider educating administrators on the risks of management plane compromise and the importance of monitoring administrative audit logs.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1074.001 - Data Staged: Local Data Staging
  • T1070.004 - Indicator Removal: File Deletion

Additional IOCs

  • Ips:
    • 185[.]220[.]101[.]15 - Tor exit node used for malicious EMS login.
    • 192[.]42[.]116[.]14 - Tor exit node used for malicious EMS login.
  • File Hashes:
    • 17e771c78430cc67e71d4547f8996a1a488e9d3f (sha1) - EKZ Infostealer executable.
    • 338662fd0c4d750a0ba203a32b59f081 (md5) - EKZ Infostealer executable.
    • d91c00fad521e76efa89715cca89db487d5676f2c767c883482f9c8f82bd383a (sha256) - FortiEndpoint_Patch.2.4.9.zip hosted on attacker C2.
    • fd65051c61a904a304919c04a8c8633c001183ac73ac461cd4d9057946f02bf5 (sha256) - FortiEndpoint_Patch.2.4.9.msi hosted on attacker C2.
    • 2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2 (sha256) - fil_api_ms_win_crt_apibase_l1_1_0.dll hosted on attacker C2.
    • 2f25ea1b622abf3212141af932c2ec4cbd6b2b5903c2a531121f691227d98cff (sha256) - Microsoftr Windowsr Operating System-Installer.exe hosted on attacker C2.
  • File Paths:
    • C:\ProgramData\FortiEndpoint_Patch.exe - Dropped EKZ Infostealer payload.
    • C:\ProgramData\log.txt - Staged credential log file before exfiltration.
  • Command Lines:
    • Purpose: Download and execute payload, then exfiltrate data | Tools: powershell.exe, cmd.exe | Stage: Execution and Exfiltration | Start-Process -WindowStyle Hidden $Out

Related