This week’s ThreatsDay Bulletin highlights a steady stream of low‑noise but high‑impact operations — from a nascent RaaS exploiting FortiGate devices to stealthy loaders, advanced evasion tricks, and refined phishing campaigns. Multiple attack chains show real‑world utility and growing background noise around supply‑chain, secrets sprawl, and mass exploitation trends. #TheGentlemen #FortiGate
Keypoints
- The Gentlemen RaaS exploits CVE-2024-55591 in FortiOS/FortiProxy and maintains ~14,700 exploited FortiGate devices plus 969 brute‑forced VPN credentials.
- BMC FootPrints contains a pre‑auth RCE chain (CVE-2025-71257–71260) that leverages an extracted SEC_TOKEN and Java deserialization to write files to Tomcat.
- Hijack Loader is delivering SnappyClient and updated ACRStealer variants with AMSI bypasses, Heaven’s Gate, direct syscalls, and crypto‑theft capabilities.
- New social‑engineering and abuse techniques include CursorJack deep‑link command execution, Teams Quick Assist scams for remote access, and LiveChat refund phishing to steal credentials and MFA codes.
- Wider trends include mass exploitation attempts against Citrix NetScaler, AOT‑compiled malware evading analysis (Rhadamanthys/XMRig), GitHub secrets sprawl, and expanded APT operations like RagaSerpent.
Read More: https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html