← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Credential Stealer EKZ Delivered via FortiClient EMS Exploitation
WHITE cryptocti 2026-05-28 Modified: 2026-05-28
6
IOCs
LOW VOLUME
Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.
Indicators of Compromise (1 / 6 total)
All IPv4 FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 338662fd0c4d750a0ba203a32b59f081 MD5 of 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e 2026-05-28