剣 KENSAI
← All posts · security · 2026-03-26 · 5 min

FortiClient EMS पर सक्रिय हमला, यूरोपीय आयोग को 350 GB डेटा उल्लंघन, रूसी CTRL टूलकिट उजागर, चीन APT क्लस्टर दक्षिण-पूर्व एशिया पर केंद्रित

गंभीर Fortinet FortiClient EMS SQL इंजेक्शन (CVE-2026-21643) सक्रिय रूप से शोषित हो रहा है। ShinyHunters ने यूरोपीय आयोग के AWS वातावरण से 350 GB डेटा चोरी का दावा किया। Censys ने एक पूर्व में अज्ञात रूसी .NET रिमोट एक्सेस टूलकिट का खुलासा किया जो RDP सत्रों को हाईजैक करता है। चीन से जुड़े तीन खतरा क्लस्टर एक साथ दक्षिण-पूर्व एशियाई सरकार को निशाना बना रहे हैं।


🔴 FortiClient EMS CVE-2026-21643 — Active Exploitation Confirmed

⚠️ CRITICAL — Patch Immediately

CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient EMS v7.4.4 that allows unauthenticated remote code execution. Active exploitation has been observed since March 26, 2026.

Threat intelligence firm Defused confirmed that attackers have been exploiting CVE-2026-21643 for at least four days, even though CISA and other KEV lists have not yet flagged it as exploited in the wild. The flaw resides in FortiClient EMS's web GUI, where attackers can smuggle SQL statements through the Site header in HTTP requests.

Key Details

Fortinet vulnerabilities are a perennial favorite for ransomware gangs and state-sponsored espionage groups. CISA has flagged 24 Fortinet vulnerabilities as actively exploited to date, with 13 linked directly to ransomware campaigns. If you run FortiClient EMS, this is a drop-everything-and-patch situation.


🏛️ European Commission Confirms Massive Data Breach — ShinyHunters Claim 350GB Theft

🟠 HIGH — Government Data Exfiltration

The EU's executive body confirmed that data was stolen from its Europa.eu platform after ShinyHunters compromised an AWS account.

The European Commission confirmed on Friday that its Europa.eu web platform was hacked, with the ShinyHunters extortion gang claiming responsibility. The group says they exfiltrated over 350 GB of data before access was revoked, including databases, mail server dumps, confidential contracts, and employee information.

What Was Stolen

The Commission states its internal systems were not affected and that it is notifying affected EU entities. This is ShinyHunters' latest high-profile scalp — the group has recently claimed breaches at Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, and Match Group (Tinder, Hinge, OkCupid). Many of these victims fell to a large-scale voice phishing campaign targeting SSO accounts at Okta, Microsoft, and Google across 100+ organizations.


🇷🇺 Russian CTRL Toolkit — New .NET RAT Hijacks RDP via FRP Tunnels

Censys researchers have disclosed a previously undocumented Russian-origin remote access toolkit called CTRL, recovered from an open directory at 146.19.213[.]155 in February 2026. It's a custom-built .NET framework designed for full-spectrum remote access operations.

Attack Chain

  1. Victim receives a weaponized LNK file disguised as a "Private Key" folder
  2. Double-clicking triggers hidden PowerShell, which wipes existing persistence and loads an in-memory stager
  3. Stager connects to hui228[.]ru:7000, downloads CTRL payloads
  4. Modifies firewall rules, creates backdoor local users, sets up persistence via scheduled tasks
  5. Spawns a cmd.exe shell server on port 5267 tunneled through Fast Reverse Proxy (FRP)

Capabilities

The toolkit's sophistication — particularly the credential phishing UI that mimics Windows Hello and the named-pipe architecture that evades network detection — indicates a well-resourced threat actor.


🇨🇳 Three China-Linked APT Clusters Converge on Southeast Asian Government

Palo Alto Networks Unit 42 has revealed that three distinct threat activity clusters aligned with China simultaneously targeted a single government organization in Southeast Asia throughout 2025 in what they describe as a "complex and well-resourced operation."

The Three Clusters

ClusterActive PeriodKnown OverlapsKey Malware
Mustang PandaJun–Aug 2025Stately TaurusHIUPAN, PUBLOAD, COOLCLIENT
CL-STA-1048Mar–Sep 2025Earth Estries, Crimson PalaceEggStremeFuel, EggStremeLoader, RawCookie
CL-STA-1049Apr–Aug 2025Unfading Sea HazeFluffyGh0st, MASOL RAT, PoshRAT, TrackBak Stealer

The convergence of three separate APT clusters on a single target suggests coordinated or at least strategically aligned operations — a hallmark of China's intelligence apparatus. Mustang Panda used USB-based malware (HIUPAN) to deliver backdoors, while the other clusters employed more sophisticated fileless techniques including the EggStreme loader family and the Hypnosis Loader.


📋 Quick Hits

  • Microsoft Pulls KB5079391: The Windows 11 non-security preview update has been withdrawn after triggering 0x80073712 installation errors across systems. Microsoft is investigating.
  • TeamPCP Compromises Telnyx PyPI Package: Malicious versions 4.87.1 and 4.87.2 of the telnyx Python package hide credential-stealing malware inside a WAV audio file using steganography. Downgrade to 4.87.0 immediately — the package is now quarantined.
  • FBI Confirms Patel Email Hack: The Handala hacker group linked to Iran has published photos and documents from FBI Director Kash Patel's compromised personal email account.

🛡️ Recommended Actions

  1. FortiClient EMS: Patch to version 7.4.5+ immediately. Check for indicators of compromise on exposed instances.
  2. EU Commission Breach: Organizations interacting with Europa.eu services should monitor for credential reuse and phishing attempts using stolen employee data.
  3. CTRL Toolkit IOCs: Block 146.19.213[.]155 and hui228[.]ru. Hunt for suspicious LNK files, FRP tunneling activity, and anomalous named pipe communications.
  4. China APT Clusters: Government entities in Southeast Asia should scan for HIUPAN USB malware artifacts, EggStreme loader signatures, and FluffyGh0st indicators.
  5. PyPI Supply Chain: Audit any project using telnyx Python package — ensure version 4.87.0 or earlier. Check for WAV file-based payload indicators.