Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Thursday, May 28, 2026 at 03:26 PM UTC·Source: The Hacker News

Updated: Thursday, May 28, 2026 at 05:01 PM UTC

Executive Summary

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said. "Threat actors disguised the credential stealer payload as a Fortinet endpoint

Analysis

Source Attribution

Originally published by The Hacker News on May 28, 2026.

Related Threats

MEDIUMMalware

The HazyBeacon Protocol – How Malware Weaponizes Amazon Web Services (AWS) Lambda Function URLs

Key Takeaways The Rise of Cloud-Native Command and Control (C2) Command and control (C2) infrastructure traditionally lived outside the victim environment. Malware beaconed to attacker-operated servers hosted on rented VPS infrastructure or compromised websites, and defenders focused on identifying those endpoints through IP reputation, domain intelligence, and network blocking. Cloud computing ha

2h agoQualys Blog

MEDIUMMalware

The Zero-Knowledge Threat Actor and the End of Responsible Disclosure

AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. The post The Zero-Knowledge Threat Actor and the End of Responsible Disclosure appeared first on SecurityWeek .

5h agoSecurityWeek

MEDIUMVulnerability

Klarna adds healthcare to membership programme

Kry Livi, the UK's leading digital healthcare provider, today announces a new partnership with Klarna, the global digital bank and flexible payments provider, bringing on-demand clinical consultations to Klarna's UK members as digital-first healthcare continues to grow.

6h agoFinextra