Emerging Cyber Threats: FortiGate Exploits, RaaS Operations, and Advanced Malware Tactics
In the ever-evolving landscape of cybersecurity, recent developments have highlighted sophisticated threats targeting critical infrastructure and exploiting known vulnerabilities. This article delves into the latest findings on Ransomware-as-a-Service (RaaS) operations, vulnerabilities in IT Service Management (ITSM) platforms, and the deployment of advanced malware frameworks.
1. The Gentlemen RaaS Exploiting FortiGate Vulnerabilities
A nascent RaaS operation known as The Gentlemen has emerged, comprising approximately 20 members. This group has been observed leveraging a critical authentication bypass vulnerability in FortiOS and FortiProxy, identified as CVE-2024-55591, to gain initial access to targeted systems. The Gentlemen maintain an operational database of around 14,700 already exploited FortiGate devices globally. Additionally, they possess 969 validated brute-forced FortiGate VPN credentials, ready for further attacks. Since their emergence in mid-2025, they have targeted 94 organizations, employing techniques such as the bring your own vulnerable driver (BYOVD) to terminate security processes at the kernel level, thereby evading detection.
2. Critical Vulnerabilities in BMC FootPrints ITSM Platform
Security researchers have disclosed four vulnerabilities in BMC FootPrints, a widely used ITSM solution. These vulnerabilities, identified as CVE-2025-71257 through CVE-2025-71260, can be chained together to achieve pre-authentication remote code execution. The attack sequence begins with an authentication bypass (CVE-2025-71257) that allows an attacker to extract a guest session token from the password reset endpoint. This token can then be used to exploit an unsanitized Java deserialization sink (CVE-2025-71260) in the __VIEWSTATE parameter of the /aspnetconfig endpoint. By leveraging the AspectJWeaver gadget chain, an attacker can write arbitrary files to the Tomcat web root directory, leading to full remote code execution. Additionally, with the obtained session token, an attacker could exploit two Server-Side Request Forgery (SSRF) flaws (CVE-2025-71258 and CVE-2025-71259) to potentially leak internal data. These issues were addressed in September 2025, and users are urged to apply the necessary patches promptly.
3. Deployment of SnappyClient via Hijack Loader
The malware loader known as Hijack Loader has been identified as a delivery mechanism for a previously undocumented C++-based command-and-control (C2) framework named SnappyClient. SnappyClient boasts an extensive list of capabilities, including taking screenshots, keylogging, providing a remote terminal, and stealing data from browsers, extensions, and other applications. To evade detection, SnappyClient employs multiple techniques such as bypassing the Antimalware Scan Interface (AMSI), implementing Heaven’s Gate, utilizing direct system calls, and performing transacted hollowing. Upon execution, SnappyClient receives two configuration files from the C2 server, detailing actions to perform under specified conditions, along with a list of processes to monitor or avoid. This sophisticated malware underscores the evolving tactics of threat actors in deploying stealthy and multifunctional tools to compromise systems.
4. Exploitation of FortiGate Devices by AI-Assisted Threat Actors
A financially motivated, Russian-speaking threat actor has been observed leveraging commercial generative artificial intelligence (AI) services to compromise over 600 FortiGate devices across 55 countries. Between January 11 and February 18, 2026, this actor exploited exposed management ports and weak credentials with single-factor authentication to gain access. Notably, no exploitation of FortiGate vulnerabilities was observed; instead, the campaign succeeded by exploiting fundamental security gaps that AI helped an unsophisticated actor exploit at scale. This incident highlights the potential for AI tools to lower the barrier to entry for cybercriminals, enabling them to execute large-scale attacks with limited technical expertise.
5. Persistent Access in FortiGate Devices Post-Patching
Fortinet has revealed that threat actors have found ways to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched. Attackers leveraged known and now-patched security flaws, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to create a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN. These modifications, made in the user file system, managed to evade detection, causing the symbolic link to persist even after the security holes responsible for the initial access were addressed. This persistence mechanism underscores the importance of thorough post-patch assessments to ensure that no unauthorized access remains.
6. Chinese State-Backed Hackers Exploiting FortiGate Flaws
Chinese state-sponsored threat actors have been reported to have gained access to 20,000 Fortinet FortiGate systems worldwide by exploiting a known critical security flaw between 2022 and 2023. The campaign targeted dozens of Western governments, international organizations, and numerous companies within the defense industry. The attackers exploited CVE-2022-42475, a vulnerability in FortiOS SSL-VPN, allowing unauthenticated attackers to execute arbitrary code via specially crafted requests. This large-scale exploitation highlights the strategic interest of state-sponsored actors in targeting network infrastructure to gain persistent access to sensitive systems.
7. Malicious PyPI Package Deploying Cryptocurrency Miner
A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. The package, named sympy-dev, mimics SymPy, replicating the latter’s project description verbatim to deceive unsuspecting users into thinking they are downloading a development version of the library. Since its publication on January 17, 2026, it has been downloaded over 1,100 times. The rogue package embeds source code that retrieves a Golang-based cryptocurrency miner from a remote server, highlighting the ongoing risks associated with supply chain attacks in open-source ecosystems.
8. Automated Attacks on FortiGate Devices Exploiting SSO Vulnerabilities
Cybersecurity company Arctic Wolf has warned of a new cluster of automated malicious activity involving unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, which commenced on January 15, 2026, shares similarities with a December 2025 campaign where malicious single sign-on (SSO) logins on FortiGate appliances were recorded against the admin account from different hosting providers. The attacks exploit two critical authentication bypasses, CVE-2025-59718 and CVE-2025-59719, allowing unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud SSO feature is enabled. This development underscores the need for organizations to disable unnecessary features and apply patches promptly to mitigate such risks.
Conclusion
The cybersecurity landscape continues to be marked by sophisticated threats exploiting known vulnerabilities and leveraging advanced techniques to evade detection. Organizations must remain vigilant, promptly apply security patches, and implement robust monitoring to detect and respond to these evolving threats effectively.
