FortiClient EMS sotto attacco attivo, la Commissione europea subisce una violazione di 350 GB, il toolkit russo CTRL esposto, cluster APT cinesi convergono nel Sud-Est asiatico
🔴 FortiClient EMS CVE-2026-21643 — Active Exploitation Confirmed
⚠️ CRITICAL — Patch Immediately
CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient EMS v7.4.4 that allows unauthenticated remote code execution. Active exploitation has been observed since March 26, 2026.
Threat intelligence firm Defused confirmed that attackers have been exploiting CVE-2026-21643 for at least four days, even though CISA and other KEV lists have not yet flagged it as exploited in the wild. The flaw resides in FortiClient EMS's web GUI, where attackers can smuggle SQL statements through the Site header in HTTP requests.
Key Details
- CVE: CVE-2026-21643 — SQL Injection leading to unauthenticated RCE
- Affected: FortiClient EMS version 7.4.4
- Fix: Upgrade to FortiClient EMS 7.4.5 or later
- Exposure: ~1,000 instances publicly exposed (Shodan), 2,000+ tracked by Shadowserver — most in the US and Europe
- Discovery: Gwendal Guégniaud, Fortinet Product Security team
Fortinet vulnerabilities are a perennial favorite for ransomware gangs and state-sponsored espionage groups. CISA has flagged 24 Fortinet vulnerabilities as actively exploited to date, with 13 linked directly to ransomware campaigns. If you run FortiClient EMS, this is a drop-everything-and-patch situation.
🏛️ European Commission Confirms Massive Data Breach — ShinyHunters Claim 350GB Theft
🟠 HIGH — Government Data Exfiltration
The EU's executive body confirmed that data was stolen from its Europa.eu platform after ShinyHunters compromised an AWS account.
The European Commission confirmed on Friday that its Europa.eu web platform was hacked, with the ShinyHunters extortion gang claiming responsibility. The group says they exfiltrated over 350 GB of data before access was revoked, including databases, mail server dumps, confidential contracts, and employee information.
What Was Stolen
- Database dumps from mail servers
- Confidential documents and contracts
- Employee personal data (screenshots provided as proof)
- Over 90GB already published on the ShinyHunters dark web leak site
The Commission states its internal systems were not affected and that it is notifying affected EU entities. This is ShinyHunters' latest high-profile scalp — the group has recently claimed breaches at Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, and Match Group (Tinder, Hinge, OkCupid). Many of these victims fell to a large-scale voice phishing campaign targeting SSO accounts at Okta, Microsoft, and Google across 100+ organizations.
🇷🇺 Russian CTRL Toolkit — New .NET RAT Hijacks RDP via FRP Tunnels
Censys researchers have disclosed a previously undocumented Russian-origin remote access toolkit called CTRL, recovered from an open directory at 146.19.213[.]155 in February 2026. It's a custom-built .NET framework designed for full-spectrum remote access operations.
Attack Chain
- Victim receives a weaponized LNK file disguised as a "Private Key" folder
- Double-clicking triggers hidden PowerShell, which wipes existing persistence and loads an in-memory stager
- Stager connects to
hui228[.]ru:7000, downloads CTRL payloads - Modifies firewall rules, creates backdoor local users, sets up persistence via scheduled tasks
- Spawns a
cmd.exeshell server on port 5267 tunneled through Fast Reverse Proxy (FRP)
Capabilities
- Credential Harvesting: A WPF application mimics Windows Hello PIN verification — blocks Alt+Tab/Alt+F4 escape attempts and loops the victim until a valid PIN is captured
- Keylogging: Background service installs keyboard hooks, logs to
C:\Temp\keylog.txt - RDP Hijacking: Operates via named pipes so all C2 traffic stays local — only the RDP session traverses the network
- Dual-Mode Design: Can run as server (on victim) or client (via tunneled RDP), with communication over Windows named pipes
The toolkit's sophistication — particularly the credential phishing UI that mimics Windows Hello and the named-pipe architecture that evades network detection — indicates a well-resourced threat actor.
🇨🇳 Three China-Linked APT Clusters Converge on Southeast Asian Government
Palo Alto Networks Unit 42 has revealed that three distinct threat activity clusters aligned with China simultaneously targeted a single government organization in Southeast Asia throughout 2025 in what they describe as a "complex and well-resourced operation."
The Three Clusters
| Cluster | Active Period | Known Overlaps | Key Malware |
|---|---|---|---|
| Mustang Panda | Jun–Aug 2025 | Stately Taurus | HIUPAN, PUBLOAD, COOLCLIENT |
| CL-STA-1048 | Mar–Sep 2025 | Earth Estries, Crimson Palace | EggStremeFuel, EggStremeLoader, RawCookie |
| CL-STA-1049 | Apr–Aug 2025 | Unfading Sea Haze | FluffyGh0st, MASOL RAT, PoshRAT, TrackBak Stealer |
The convergence of three separate APT clusters on a single target suggests coordinated or at least strategically aligned operations — a hallmark of China's intelligence apparatus. Mustang Panda used USB-based malware (HIUPAN) to deliver backdoors, while the other clusters employed more sophisticated fileless techniques including the EggStreme loader family and the Hypnosis Loader.
📋 Quick Hits
- Microsoft Pulls KB5079391: The Windows 11 non-security preview update has been withdrawn after triggering 0x80073712 installation errors across systems. Microsoft is investigating.
- TeamPCP Compromises Telnyx PyPI Package: Malicious versions 4.87.1 and 4.87.2 of the
telnyxPython package hide credential-stealing malware inside a WAV audio file using steganography. Downgrade to 4.87.0 immediately — the package is now quarantined. - FBI Confirms Patel Email Hack: The Handala hacker group linked to Iran has published photos and documents from FBI Director Kash Patel's compromised personal email account.
🛡️ Recommended Actions
- FortiClient EMS: Patch to version 7.4.5+ immediately. Check for indicators of compromise on exposed instances.
- EU Commission Breach: Organizations interacting with Europa.eu services should monitor for credential reuse and phishing attempts using stolen employee data.
- CTRL Toolkit IOCs: Block
146.19.213[.]155andhui228[.]ru. Hunt for suspicious LNK files, FRP tunneling activity, and anomalous named pipe communications. - China APT Clusters: Government entities in Southeast Asia should scan for HIUPAN USB malware artifacts, EggStreme loader signatures, and FluffyGh0st indicators.
- PyPI Supply Chain: Audit any project using
telnyxPython package — ensure version 4.87.0 or earlier. Check for WAV file-based payload indicators.
Stay Ahead of the Threat Curve
Get daily security intelligence delivered with zero noise.
Explore KENSAI →KENSAI Security Briefing — March 30, 2026
Compiled from BleepingComputer, The Hacker News, Censys, Unit 42, Defused, and Shadowserver intelligence feeds.