FortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware

Arctic Wolf observed active exploitation of FortiClient EMS (CVE-2026-35616) where attackers bypassed API authentication to modify Remote Access Profiles and inject on_connect scripts that deploy a MinGW-compiled credential stealer named EKZ Infostealer to managed endpoints; the malware harvests browser credentials and session cookies and exfiltrates data to 83.138.53.110. The report includes process lineage, IOCs (IPs, SHA-256, filenames, payload URL), observed Tor-login correlation, and mitigation guidance including patching, restricting management access, auditing VPN scripts, and credential rotation.