Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Blog

Byadmblake May 28, 2026

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. “The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.

“The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint

Blog

Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs

The Akira ransomware group has been experimenting with new tools, bugs, and attack surfaces, with demonstrated success in significant sectors.

Read More Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs
Blog

Indian Car-Sharing Firm Zoomcar Latest to Suffer Breach

The company acknowledged that cybercriminals had taken sensitive information on more than 8 million users, including names, phone numbers, car registration numbers, addresses, and emails.

Read More Indian Car-Sharing Firm Zoomcar Latest to Suffer Breach
Blog

42% of Developers Using AI Say Their Codebase is Now Mostly AI-Generated

Post Content

Read More 42% of Developers Using AI Say Their Codebase is Now Mostly AI-Generated
Blog

GitHub Confirms Breach, 4K Internal Repos Stolen

Open source software giant GitHub confirmed a data breach this week involving the theft of thousands of repos. One threat actor — TeamPCP — took credit.

Read More GitHub Confirms Breach, 4K Internal Repos Stolen
Blog

Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates

Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS. “Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing…

Read More Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates
Blog

3 China Nation-State Actors Target SharePoint Bugs

Hackers and cybercrime groups are part of a virtual feeding frenzy, after Microsoft’s recent disclosure of new vulnerabilities in on-premises editions of SharePoint Server.

Read More 3 China Nation-State Actors Target SharePoint Bugs

Related