Mastodawn

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push malicious PowerShell scripts disguised as legitimate Fortinet patches across managed endpoints. The campaign deployed EKZ Infostealer, a credential-stealing tool targeting Chrome, Firefox, and other browser credentials. The stealer extracts passwords, cookies, and autofill data, staging results locally before exfiltration via HTTP to threat-actor-controlled infrastructure. Threat actors accessed systems through Tor exit nodes, modified VPN configurations to enable script execution, and used FortiClient's own management pathways to distribute payloads fleet-wide without requiring individual endpoint compromises.

Pulse ID: 6a185cd579d639bcc6ece4ac
Pulse Link: https://otx.alienvault.com/pulse/6a185cd579d639bcc6ece4ac
Pulse Author: AlienVault
Created: 2026-05-28 15:18:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chrome #Cookies #CyberSecurity #Endpoint #FireFox #HTTP #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #PowerShell #RAT #Rust #ScriptExecution #Troll #VPN #Vulnerability #Word #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Analyst207 22h ago

AI-Generated Malware Exposes Operator's GitHub Token

A malicious npm package, disguised as a harmless sync utility called "mouse5212-super-formatter", was downloaded 676 times before it was caught stealing sensitive data and exposing its creator's GitHub token. This AI-generated malware cleverly hid its true intentions, uploading stolen files to a fake repository and covering its tracks.

https://osintsights.com/ai-generated-malware-exposes-operators-github-token?utm_source=mastodon&utm_medium=social

#AigeneratedMalware #Github #Infostealer #MalwareOperations #Npm

AI-Generated Malware Exposes Operator's GitHub Token

Discover how AI-generated malware exposed a GitHub token. Learn more about the mouse5212-super-formatter package and its malicious functions now.

OSINTSights

OTX Bot 1d ago

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a1879e13827c581e8b73eb4
Pulse Link: https://otx.alienvault.com/pulse/6a1879e13827c581e8b73eb4
Pulse Author: cryptocti
Created: 2026-05-28 17:22:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a1879e2d85be08873d89445
Pulse Link: https://otx.alienvault.com/pulse/6a1879e2d85be08873d89445
Pulse Author: cryptocti
Created: 2026-05-28 17:22:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a1879e15c8f2d2d2cf72b60
Pulse Link: https://otx.alienvault.com/pulse/6a1879e15c8f2d2d2cf72b60
Pulse Author: cryptocti
Created: 2026-05-28 17:22:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a187a5035303b62f8e49196
Pulse Link: https://otx.alienvault.com/pulse/6a187a5035303b62f8e49196
Pulse Author: cryptocti
Created: 2026-05-28 17:24:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a187acb35f351993fe5e76b
Pulse Link: https://otx.alienvault.com/pulse/6a187acb35f351993fe5e76b
Pulse Author: cryptocti
Created: 2026-05-28 17:26:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf

What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?

Pulse ID: 6a1857d605f28d9d9d177943
Pulse Link: https://otx.alienvault.com/pulse/6a1857d605f28d9d9d177943
Pulse Author: CyberHunter_NL
Created: 2026-05-28 14:57:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #RAT #bot #CyberHunter_NL

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot 1d ago

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf

What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?

Pulse ID: 6a1857d668a9adf54a546ab7
Pulse Link: https://otx.alienvault.com/pulse/6a1857d668a9adf54a546ab7
Pulse Author: CyberHunter_NL
Created: 2026-05-28 14:57:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #RAT #bot #CyberHunter_NL

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange