Security researchers at Arctic Wolf have spotted a malicious campaign exploiting CVE-2026-35616 to deploy a new malware strain called EKZ Infostealer through compromised FortiClient EMS infrastructure.
The attackers disguised the malware as a legitimate Fortinet endpoint patch and pushed it to managed endpoints using FortiClient Endpoint Management Server (EMS). The threat actors appear to have abused trusted management channels to execute malicious PowerShell commands across connected systems.
Suspicious login activity linked to Tor exit nodes was detected shortly after the vulnerability was exploited. Once affected endpoints established IPsec connections to configured FortiGate firewalls, the process fortitray.exe launched malicious .cmd scripts stored in directories commonly used for FortiClient VPN troubleshooting logs.
The scripts executed a base64-encoded PowerShell payload that attempted to download a malicious executable through multiple fallback methods. After execution, the malware paused for 90 seconds before sending stolen data to a threat actor-controlled VPS.
The payload, named FortiEndpoint_Patch.exe, was identified as a previously undocumented credential stealer compiled with MinGW. Arctic Wolf named the malware EKZ Infostealer.
The malware targets Chromium-based browsers including Chrome, Microsoft Edge, and other Chromium variants. It also supports Firefox and Gecko-based browsers such as LibreWolf, Waterfox, Pale Moon, and Thunderbird.
For Chromium browsers, EKZ Infostealer locates browser installations through the Windows registry, reads the Local State file to retrieve the os_crypt.app_bound_encrypted_key, and copies itself into the browser Application directory to bypass Chromium Elevation Service path validation. It then extracts the AES-256 master key and decrypts SQLite databases containing saved browser credentials and session data.
For Firefox and other Gecko-based browsers, the malware dynamically loads nss3.dll and extracts credentials from files including key4.db, logins.json, and cookies.sqlite.
Researchers said the malware collects saved passwords, browser cookies, autofill information, addresses, phone numbers, and stored payment card data. Stolen cookies could also allow attackers to hijack authenticated sessions without triggering MFA protections.