← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Credential Stealer EKZ Delivered via FortiClient EMS Exploitation
Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.
Indicators of Compromise (6)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| IPv4 | 185.220.101.15 | CC=DE ASN=AS208294 cia triad security llc | 2026-05-28 | |
| IPv4 | 192.42.116.14 | CC=NL ASN=AS1101 surfnet bv | 2026-05-28 | |
| IPv4 | 83.138.53.110 | CC=NL ASN=AS63473 hosthatch llc | 2026-05-28 | |
| FileHash-MD5 | 338662fd0c4d750a0ba203a32b59f081 | MD5 of 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e | 2026-05-28 | |
| FileHash-SHA1 | 17e771c78430cc67e71d4547f8996a1a488e9d3f | SHA1 of 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e | 2026-05-28 | |
| FileHash-SHA256 | 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e | — | 2026-05-28 |