Critical FortiClient EMS Exploitation Campaign Spreads New EKZ Infostealer Payload

A dangerous new cyber assault is currently targeting corporate infrastructure networks. Specifically, security researchers have uncovered a sophisticated FortiClient EMS exploitation campaign. Analysts at Arctic Wolf observed threat actors actively weaponizing a critical vulnerability tracked as CVE-2026-35616. This malicious activity specifically impacts FortiClient Endpoint Management Server (EMS) systems. Consequently, enterprise defenders must inspect their endpoint environments immediately to identify indicators of compromise.

Weaponizing Trusted Management Paths

To begin with, the threat actors modified their distribution methods to blend in with normal network operations. They chose to abuse legitimate administrative channels rather than relying on standard phishing templates. According to the official report, “The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations.” Therefore, traditional network monitoring solutions failed to flag the unauthorized commands during the initial intrusion phase.

The Arrival of EKZ Infostealer

Furthermore, the adversaries created a highly tailored payload to ensure successful infection. The malicious toolkit masqueraded as an authentic software patch from the vendor. The threat intelligence team designated this specialized credential harvesting tool as the EKZ Infostealer. In addition, the malware utilizes specific scripts to extract user profiles directly from active applications. The technical write-up explains that “The credential stealer, designated as EKZ Infostealer, supports credential extraction from Chrome and Firefox, including bypass techniques targeting Chrome’s encrypted password storage mechanisms.”

Severe Downstream Risks for Enterprises

Consequently, a successful infection presents long-term operational challenges for compromised organizations. The stolen data often allows attackers to access secondary cloud networks or source code repositories. Meanwhile, the operators collect browser cookies to bypass standard verification protocols. The report explicitly details these severe downstream cascading impacts. Specifically, it notes that “Session cookies and saved browser credentials may provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources, including cases where session reuse may circumvent MFA prompts.” Ultimately, this specific FortiClient EMS exploitation threat model requires a robust technical response rather than simple employee awareness training.

Analyzing the Attacker’s Motives

Meanwhile, threat intelligence data suggests a purely financial motivation behind this campaign. eCrime actors frequently seek high-value corporate environments to maximize their extortion payouts. By compromising developer workstations or endpoint control panels, adversaries expand their operational reach significantly. Consequently, securing these management assets forms the core battleground for corporate IT networks.

Mandatory Mitigation and Hardening Steps

Recommended Upgrades

Therefore, system administrators must implement immediate infrastructure adjustments. Organizations should review their network architecture to isolate key administrative nodes. The analysts strongly recommend that companies deploy the latest vendor updates to eliminate the underlying security flaw. As the report indicates, “To reduce exposure to this threat, organisations running affected versions of FortiClient EMS should upgrade to a fixed version as soon as possible.”

Restricting Port Access

In addition, network engineers can apply strict perimeter access controls to secure the corporate space. Teams must enforce strict boundary rules around common communication ports. According to Arctic Wolf, “network access to the FortiClient EMS management port (8013) may be explicitly restricted to trusted IP ranges only.” As a result, external threat actors cannot reach the management endpoint to initiate the malicious script execution sequence.

Continuous Monitoring for Future Threats

Dynamic Defense Strategies

Ultimately, organizations must establish persistent observation strategies to catch hidden anomalies early. Security teams should execute automated file inventory sweeps across all corporate systems regularly. Furthermore, the rapid evolution of infostealer payloads highlights the necessity of multi-layered perimeter defense architectures. Therefore, applying these proactive measures will protect sensitive enterprise networks from devastating corporate infrastructure breaches.