BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

Volexity reports that the BrazenBamboo actor developed and deployed modular Windows malware (DEEPDATA and DEEPPOST) and a Windows LIGHTSPY variant to collect and exfiltrate sensitive data; notably, a DEEPDATA plugin (msenvico.dll / FortiClient) exploited a zero‑day FortiClient VPN credential disclosure on Windows to harvest usernames, passwords, and server info from process memory. The analysis details plugin functionality (AccountInfo, FortiClient, WebBrowser, etc.), C2 infrastructure and URLs/ports, observed IOCs, a developer change log, and recommended detection rules and IOC blocklists.