InfoSecBulletin Cybersecurity for mankind
A recent phishing attack aimed at FortiClient Endpoint Management Server (EMS) has used trusted admin systems to quietly install a new password thief on company devices.
In May 2026, Arctic Wolf researchers found a group of bad actions using CVE-2026-35616, a flaw in FortiClient EMS that allows improper access.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Attackers Abused FortiClient’s Own Infrastructure
After the attackers got into the EMS settings, they changed the Remote Access Profile and endpoint rules to add harmful scripts that targeted all managed devices.
FortiClient EMS lets scripts run when a VPN tunnel is set up with on_connect commands. Attackers misused this real feature.
When affected endpoints are connected via an IPsec tunnel, fortitray.exe launched .cmd script files with GUID-based filenames stored within FortiClient’s standard VPN logging path:
C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd
These scripts decoded and executed a base64-encoded PowerShell payload that downloaded the malicious executable, ran it silently, waited 90 seconds, and exfiltrated output via HTTP POST to a threat-actor-controlled VPS at 83[.]138.53[.]110.
The observed process lineage was:
fortitray.exe or ipsec.exe → cmd.exe → powershell.exe → FortiEndpoint_Patch.exe
Initial exploitation was also linked to login events from multiple Tor exit node IPs, including 185[.]220.101.15 and 192[.]42.116.14, within hours of the API authentication bypass.
EKZ Infostealer – Credential Harvesting Tool
The downloaded file, hidden as FortiEndpoint_Patch.exe, is a Windows program made with MinGW. It is linked to Arctic Wolf and called EKZ Infostealer, named after certain symbols found in its code. This tool was first seen in May 2026 and has not been recorded before.
EKZ aims at both Chromium browsers (like Chrome and Edge) and Gecko browsers (like Firefox, LibreWolf, and Thunderbird). For Chromium browsers, it finds where they are installed in the registry, copies itself into the browser’s Application\ folder to pass a check, and uses IElevator::DecryptData to get the v20 AES-256 master key to decrypt account databases.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
83[.]138.53[.]110 |
IP Address | Threat-actor-controlled C2/payload host |
185[.]220.101.15 |
IP Address | Tor exit node used for login |
192[.]42.116.14 |
IP Address | Tor exit node used for login |
0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e |
SHA-256 | EKZ Infostealer (FortiEndpoint_Patch.exe) |
FortiEndpoint_Patch.exe / p.exe |
Filename | Malicious credential stealer binary |
hxxp[:]//83.138.53[.]110/dl/p.exe |
URL | Payload delivery URL |
Mitigations
Patch immediately — Upgrade FortiClient EMS to a fixed version addressing CVE-2026-35616
Restrict management port access — Limit network access to EMS port 8013 to trusted IP ranges only
Audit VPN script configurations — Review on_connect and script directives within Remote Access Profiles for unauthorized entries
Hunt for IOCs — Search endpoint logs for GUID-named .cmd files in FortiClient’s logs\Trace\scripts\ path and anomalous fortitray.exe process chains
Rotate browser credentials — Treat all credentials and session cookies on managed endpoints as potentially compromised
Organizations using FortiClient EMS should see this as an urgent issue. If one EMS is compromised, it can lead to problems for all managed endpoints.
