EKZ Infostealer
EKZ Infostealer is a previously undocumented Windows browser credential stealer first observed by Arctic Wolf in May 2026. In the reported campaign, threat actors exploited CVE-2026-35616, an improper access control/authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS), to abuse FortiClient-managed VPN scripting and endpoint management workflows and push the malware to managed endpoints. The payload was disguised as a Fortinet update, commonly delivered as FortiEndpoint_Patch.exe, and executed via a process chain involving fortitray.exe or ipsec.exe spawning cmd.exe, then powershell.exe, which launched the stealer. The PowerShell stage downloaded the payload from attacker-controlled infrastructure at 83.138.53.110, including hxxp://83.138.53[.]110/dl/p.exe, executed it silently, waited, and exfiltrated collected data over HTTP POST. Arctic Wolf identified the malware as a MinGW-compiled 64-bit PE32+ Windows binary and reported SHA-256 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e for the payload.
The malware targets Chromium- and Gecko-based applications. Reported targets include Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Firefox, Thunderbird, Tor Browser, LibreWolf, Pale Moon, and related Chromium/Firefox-family software. It harvests saved passwords, session cookies, and autofill data, including credit card details, addresses, and phone numbers. For Chromium browsers, it locates installations via the Windows registry, reads the Local State file, copies itself into the browser Application directory to satisfy Elevation Service path validation, and uses IElevator::DecryptData to recover the Chromium v20 AES-256 master key and decrypt browser SQLite credential stores. For Firefox and other Gecko-family applications, it loads nss3.dll and extracts data from key4.db, logins.json, and cookies.sqlite. Arctic Wolf reported that the malware writes harvested data to log.txt in C:\ProgramData rather than directly exfiltrating it itself; the surrounding PowerShell script then sends the staged data over HTTP.
The campaign specifically targeted systems managed by FortiClient EMS, meaning a single EMS compromise could expose an entire managed endpoint fleet. High-confidence indicators and related artifacts mentioned in the reporting include the payload name FortiEndpoint_Patch.exe, staged file C:\ProgramData\log.txt, malicious script path C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts{GUID}.cmd, attacker VPS 83.138.53[.]110, observed Tor-linked source IPs 185.220.101.15 and 192.42.116.14, and suspicious EMS log entries such as "Certificate not found in request header" followed by certificate update events referencing "fortinet-ca2." Additional malicious files recovered from the same infrastructure included FortiEndpoint_Patch.2.4.9.zip, FortiEndpoint_Patch.2.4.9.msi, fil_api_ms_win_crt_apibase_l1_1_0.dll, and "Microsoftr Windowsr Operating System-Installer.exe."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The attacks leverage CVE-2026-35616, an authentication bypass flaw in FortiClient EMS that enables unauthenticated remote attackers to execute arbitrary commands or code through specially crafted requests. The vulnerability stems from improper access control mechanisms and has been actively exploited in the wild. | Cybersecurity researchers have uncovered active attacks exploiting a critical vulnerability in FortiClient Enterprise Management Server (EMS) to distribute a previously undocumented credential-stealing malware known as EKZ Infostealer.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
“The [malicious] payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” Arctic Wold researchers noted.
These scripts then execute a Base64-encoded PowerShell payload that downloads malware disguised as a Fortinet software update.
Once an endpoint establishes an IPsec connection with a FortiGate firewall, the legitimate FortiClient process, fortitray.exe, launches malicious batch scripts through Command Prompt.
A critical FortiClient Endpoint Management Server (EMS) vulnerability patched in April has been exploited in fresh attacks to deploy information-stealing malware... The flaw, tracked as CVE-2026-35616... can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication.
Persistence
3 techniques
Persistence
According to the company, attackers begin by abusing endpoint APIs to carry out administrative actions without requiring authentication.
After gaining access, the attackers alter EMS configurations and VPN policies to enable the execution of malicious scripts.
one indication of an exploitation attempt in attacks delivering the EKZ infostealer is the presence in the logs of the line "Certificate not found in request header." In lab tests, the error was followed in seconds by another entry: Certificate user: fortinet-ca2 … successfully updated
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
These scripts then execute a Base64-encoded PowerShell payload that downloads malware disguised as a Fortinet software update.
Threat actors reportedly disguised the malware as a legitimate Fortinet endpoint update and delivered it through VPN scripting workflows managed by FortiClient.
executed it silently, and exfiltrated harvested browser data before removing local artifacts.
Defense Impairment
2 techniques
Defense Impairment
After gaining access, the attackers alter EMS configurations and VPN policies to enable the execution of malicious scripts.
one indication of an exploitation attempt in attacks delivering the EKZ infostealer is the presence in the logs of the line "Certificate not found in request header." In lab tests, the error was followed in seconds by another entry: Certificate user: fortinet-ca2 … successfully updated
Credential Access
3 techniques
Credential Access
Among the targeted data are login credentials, credit card information, addresses, phone numbers, and browser cookies. By stealing cookies, attackers may gain access to accounts protected by multi-factor authentication without needing the user's credentials.
The malware, tracked as EKZ Infostealer, is designed to harvest sensitive information from both Chromium-based and Firefox browsers. It extracts stored browser data into text files and is capable of bypassing encrypted password protections.
one indication of an exploitation attempt in attacks delivering the EKZ infostealer is the presence in the logs of the line "Certificate not found in request header." In lab tests, the error was followed in seconds by another entry: Certificate user: fortinet-ca2 … successfully updated
Discovery
1 technique
Discovery
Command and Control
2 techniques
Command and Control
Exfiltration
3 techniques
Exfiltration
Harvested data, including saved passwords, session cookies, and autofill entries like credit card details, is written to a log.txt in ProgramData, then exfiltrated on a timed schedule.
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously undocumented credential-stealing malware delivered via exploited FortiClient EMS VPN scripting workflows. It harvests sensitive information from Chromium-based and Firefox browsers, including login credentials, credit card data, addresses, phone numbers, and browser cookies, exfiltrating the collected data over HTTP to an attacker-controlled VPS.
Credential-stealing malware delivered via exploitation of FortiClient Endpoint Management Server (EMS) vulnerability CVE-2026-35616.
A Windows credential-stealing malware delivered via malicious FortiClient EMS update workflows. It harvests session cookies, credentials, and autofill data from Chromium- and Gecko-based browsers and related software.
Credential-stealing malware delivered as a fake Fortinet patch. It collects browser credentials, stores them in log files, and exfiltrates the stolen data over HTTP.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.