← Back to Blog
Security Briefing 9 min read March 11, 2026

FortiGate Credential Theft, KadNap Botnet Hits 14K Routers, Microsoft Patches 2 Zero-Days

Attackers exploit FortiGate firewalls to steal Active Directory credentials from healthcare and government networks. KadNap malware hijacks 14,000+ ASUS routers into a stealth proxy botnet. Microsoft March Patch Tuesday fixes 2 zero-days and 79 vulnerabilities. BlackSanta EDR killer targets HR departments. HPE patches critical authentication bypass in AOS-CX switches.


1. FortiGate Firewalls Exploited to Steal AD Credentials

🚨 CRITICAL — Active Campaign Targeting Healthcare & Government

Threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The campaign targets healthcare, government, and managed service provider environments, extracting configuration files that contain service account credentials and network topology data.

According to SentinelOne, attackers exploit recently disclosed vulnerabilities — CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 — or weak credentials to compromise FortiGate appliances. Because these devices often connect to Active Directory and LDAP for role-based policy enforcement, a compromised appliance hands attackers the keys to the entire authentication infrastructure.

In one documented incident, attackers created a rogue local admin account named "support," configured four permissive firewall policies, and later decrypted the configuration file to extract clear-text LDAP service account credentials. They then enrolled rogue workstations into Active Directory before being detected.

Action Required: Patch FortiGate appliances to the latest firmware immediately. Rotate all service account credentials connected to FortiGate. Enable MFA on all administrative interfaces. Monitor for unauthorized account creation and firewall policy changes.


2. KadNap Botnet Hijacks 14,000+ ASUS Routers

🚨 CRITICAL — 14,000+ Devices Compromised, 60% in US

A new malware called KadNap has infected over 14,000 edge networking devices — primarily ASUS routers — to power a stealth proxy botnet. Over 60% of victims are located in the United States.

Discovered by Black Lotus Labs at Lumen, KadNap uses a custom version of the Kademlia Distributed Hash Table (DHT) protocol to conceal its command-and-control infrastructure within a peer-to-peer network, making it highly resilient to takedown attempts.

Compromised devices are funneled into a proxy service called Doppelgänger (a rebrand of the Faceless proxy network), which sells "100% anonymous" residential proxies in 50+ countries. The malware targets both ARM and MIPS processors, establishes persistence via cron jobs, and actively closes SSH access on port 22 to prevent remediation.

DetailInformation
Infected devices14,000+
Primary targetASUS routers
US victims60%+
C2 protocolCustom Kademlia DHT (P2P)
Proxy serviceDoppelgänger (Faceless rebrand)
Active sinceAugust 2025

Action Required: Update ASUS router firmware immediately. Check for unauthorized cron jobs and unknown processes. If compromised, factory-reset the device. Block known C2 IP 212.104.141.140.


3. Microsoft March 2026 Patch Tuesday: 2 Zero-Days, 79 Flaws

⚠️ PATCH NOW — 2 Publicly Disclosed Zero-Days

Microsoft's March 2026 Patch Tuesday addresses 79 security flaws, including 2 publicly disclosed zero-day vulnerabilities and 3 Critical-rated issues. Two Critical remote code execution bugs affect Microsoft Office and can be triggered via the preview pane.

Key highlights from this month's patch cycle:

The Copilot-related vulnerability (CVE-2026-26144) is particularly noteworthy — it represents a new attack vector where AI assistants can be weaponized to exfiltrate data without user interaction. This is a harbinger of the AI-enabled attack surface organizations now face.

Action Required: Deploy all March 2026 patches immediately. Prioritize Office updates due to Preview Pane exploitation. Review Copilot Agent permissions and restrict network egress capabilities.


4. BlackSanta EDR Killer Targets HR Departments

⚠️ ACTIVE CAMPAIGN — Russian-Speaking Threat Actor

A sophisticated campaign running for over a year delivers a new EDR killer dubbed BlackSanta to human resources departments via spear-phishing emails with malicious ISO files disguised as resumes.

The attack chain is highly evasive: ISO files contain a Windows shortcut disguised as a PDF, a PowerShell script, and an image hiding malicious code via steganography. The extracted code uses DLL sideloading via a legitimate SumatraPDF executable, performs extensive sandbox and VM detection, then deploys BlackSanta.

BlackSanta systematically disables endpoint detection by:

Action Required: Alert HR teams about resume-themed phishing attacks. Block ISO file attachments at the email gateway. Monitor for unauthorized Defender exclusion changes. Implement application allowlisting.


5. HPE Critical AOS-CX Authentication Bypass

🚨 CRITICAL — Admin Password Reset Without Authentication

HPE has patched CVE-2026-23813, a critical authentication bypass in the Aruba Networking AOS-CX operating system that allows unauthenticated remote attackers to reset administrator passwords on CX-series campus and data center switches.

The vulnerability exists in the web-based management interface and requires only low-complexity attacks to exploit. Any organization running HPE AOS-CX switches with exposed management interfaces is at immediate risk.

Mitigations if patching is delayed:


6. APT28 Deploys BEARDSHELL & COVENANT Against Ukrainian Military

Russia's APT28 (Fancy Bear / GRU Unit 26165) continues its cyber espionage campaign against Ukraine, deploying two implants — BEARDSHELL and COVENANT — for long-term surveillance of Ukrainian military personnel since April 2024.

ESET reports the arsenal also includes SLIMAGENT, capable of keylogging, screenshot capture, and clipboard data collection. The campaign underscores the ongoing cyber dimension of the Russia-Ukraine conflict and the persistent targeting of military communications.


7. Zombie ZIP Technique Evades Security Tools

A new technique dubbed "Zombie ZIP" allows attackers to conceal malicious payloads in specially crafted compressed files that bypass antivirus and EDR detection. The technique exploits differences in how security tools and legitimate archive software parse ZIP files, creating blind spots that malware can slip through.

Action Required: Ensure security tools can inspect nested and malformed archive formats. Consider sandboxing all compressed file attachments before delivery to end users.


8. CISA: Ivanti EPM Flaw Under Active Exploitation

CISA has added a recently patched Ivanti Endpoint Manager (EPM) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Organizations running Ivanti EPM must prioritize patching immediately.

The pattern of Ivanti vulnerabilities being rapidly weaponized continues — this is the latest in a long series of critical Ivanti flaws that move from disclosure to exploitation in days.


9. BeatBanker Android Malware Poses as Starlink App

A new Android banking trojan called BeatBanker is being distributed through fake Google Play Store websites, masquerading as a Starlink application. Once installed, the malware hijacks devices to intercept banking credentials and financial transactions.

Action Required: Only install apps from the official Google Play Store. Enable Google Play Protect. Educate users about fake app stores.


10. Microsoft Entra Passkey Support for Windows

On a positive note, Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant passwordless authentication via Windows Hello. This is a significant step toward eliminating password-based attacks — organizations should begin planning Entra passkey deployment.


More Headlines

StoryImpact
North Korean UNC4899 Breaches Crypto FirmTrojanized AirDrop file + living-off-the-cloud techniques steal millions in cryptocurrency
Windows 10 KB5078885 ESU ReleasedExtended security update for Windows 10 addresses March Patch Tuesday vulns including 2 zero-days
Malicious npm Package Impersonates OpenClawPackage deploys RAT and steals macOS credentials, SSH keys, crypto wallets, and iMessage history

How KENSAI Protects You

Edge Device Monitoring — Detect compromised FortiGate, ASUS, and HPE devices before attackers pivot deeper

Patch Intelligence — Prioritized CVE tracking for Microsoft, Ivanti, and network infrastructure within hours of disclosure

EDR Integrity Checks — Identify BlackSanta-style tampering with endpoint security configurations

AI Security Posture — Monitor Copilot and AI agent permissions to prevent data exfiltration vectors like CVE-2026-26144


Recommended Actions

  1. Immediate: Patch FortiGate to latest firmware. Deploy Microsoft March 2026 patches. Update HPE AOS-CX switches.
  2. Today: Check ASUS routers for KadNap indicators. Rotate all FortiGate-connected service account credentials. Review Copilot Agent network egress settings.
  3. This Week: Block ISO attachments at email gateways. Audit Ivanti EPM deployments. Plan Entra passkey rollout.
  4. Ongoing: Monitor for EDR tampering patterns. Brief HR teams on resume-themed phishing. Implement zero-trust for network appliance management.

Protect Your Organization with KENSAI

AI-powered vulnerability scanning and continuous security monitoring. Start your free scan today.

Start Free Scan →

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

Related Articles

SentinelOne cartographie une chaîne d'intrusion en 8 phases, le SANS signale l'I Microsoft Notfall-RRAS-Hotpatch EU-Kommission: AWS-Breach legt 350 GB offen, TP-Link-Router-Schwachstellen, BIND