← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Credential Stealer EKZ Delivered via FortiClient EMS Exploitation
WHITE cryptocti 2026-05-28 Modified: 2026-05-28
6
IOCs
LOW VOLUME
Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.
Indicators of Compromise (3 / 6 total)
All IPv4 FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
IPv4 185.220.101.15 CC=DE ASN=AS208294 cia triad security llc 2026-05-28
IPv4 192.42.116.14 CC=NL ASN=AS1101 surfnet bv 2026-05-28
IPv4 83.138.53.110 CC=NL ASN=AS63473 hosthatch llc 2026-05-28