{ "id": "286a22aa-a3c6-4e97-9105-2660454c41b9", "created_at": "2026-04-06T00:20:51.5027Z", "updated_at": "2026-04-10T13:12:35.845569Z", "deleted_at": null, "sha1_hash": "41c98771353e01a3f33f337dd54f204de11f0961", "title": "Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 885730, "plain_text": "Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability\r\n(CVE-2022-42475) | Mandiant\r\nBy Mandiant\r\nPublished: 2023-01-19 · Archived: 2026-04-05 20:08:58 UTC\r\nWritten by: Scott Henderson, Cristiana Kittner, Sarah Hawley, Mark Lechtik\r\nMandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced\r\nvulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation\r\nwas occurring as early as October 2022 and identified targets include a European government entity and a\r\nmanaged service provider located in Africa.\r\nMandiant identified a new malware we are tracking as “BOLDMOVE” as part of our investigation. We have\r\nuncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on\r\nFortiGate Firewalls. We believe that this is the latest in a series of Chinese cyber espionage operations that have\r\ntargeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for\r\nwell-resourced Chinese groups.\r\nOn December 12, 2022, Fortinet released a PSIRT Advisory and notified customers regarding CVE-2022-42475\r\nFortinet issued instructions on how to search for Indicators of Compromise\r\nFortinet provided additional details including IoCs from subsequent research.\r\nChina Continues to Focus on Network Devices\r\nThis incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed\r\nsecurity purposes (e.g., firewalls, IPS\\IDS appliances etc.). These devices are attractive targets for multiple\r\nreasons. First, they are accessible to the internet, and if the attacker has an exploit, they can gain access to a\r\nnetwork without requiring any victim interaction. This allows the attacker to control the timing of the operation\r\nand can decrease the chances of detection.\r\nThe exploits required to compromise these devices can be resource intensive to develop, and thus they are most\r\noften used in operations against hardened and high priority targets; often in the government and defense sectors.\r\nWith BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth\r\nunderstanding of systems, services, logging, and undocumented proprietary formats. Malware running on an\r\ninternet-connected device can enable lateral movement further into a network and enable command and control\r\n(C2) by tunneling commands in and data out of a network.\r\nIt is important to note that many of these types of devices do not offer a simple mechanism to view which\r\nprocesses are running on the device’s operating systems. These devices are typically intended to inspect network\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 1 of 13\n\ntraffic, searching for anomalies as well as signs of malicious behavior, but are often not inherently protected\r\nthemselves.\r\nManaged devices may provide only a limited admin interface that allows configuration and\r\nviewing/collection of logs\r\nManaged devices may not allow for additional security products, such as Endpoint Detection and Response\r\n(EDR) to be installed\r\nAccess to core security features may be limited to the device manufacturer\r\nPrevious examples of public reporting by Mandiant and others on operations targeting these devices are here:\r\nCheck Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure\r\nZero-Day\r\nNSA | APT5: Citrix ADC Threat Hunting Guidance\r\nSuspected Chinese Activity Exploiting Zero-Day Vulnerability, Leverages New Malware Designed for\r\nInternet-Facing Devices\r\nZero-Days Exploit in SonicWall Email Security Lead to Enterprise Compromise\r\nBOLDMOVE Backdoor\r\nIn December 2022, Mandiant identified the BOLDMOVE backdoor associated with the exploitation of CVE-2022-49475 FortiOS vulnerability. BOLDMOVE is written in C and has both Windows and Linux variants, the\r\nlatter of which is intended to run (at least in part) on Fortinet devices as it reads data from a file proprietary to\r\nFortinet.\r\nMandiant has not directly observed exploitation of the vulnerability; however, samples of the BOLDMOVE Linux\r\nvariant have a hard coded C2 IP address that were listed by Fortinet as being involved in the exploitation,\r\nsuggesting CVE-2022-49475 was exploited to deliver BOLDMOVE. In addition to the Linux variant, Mandiant\r\nalso revealed a Windows version. Windows versions of BOLDMOVE appear to have been compiled as early as\r\n2021. However, Mandiant has not seen this malware in use in the wild so it is uncertain how it was used. In-depth\r\nanalysis of the malware is provided later in this post.\r\nAttribution\r\nWe assess with low confidence that this operation has a nexus to the People’s Republic of China. China-nexus\r\nclusters have historically shown significant interest in targeting networking devices and manipulating the\r\noperating system or underlying software which supports these devices. In addition, the geographical and sector\r\ntargeting is consistent with previous Chinese operations.\r\nLimited technical indicators point to the development of the malware as having been compiled on a\r\nmachine in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other Eastern\r\nAsian countries, and on a machine configured to display Chinese characters.\r\nA host survey buffer which is used by the Windows variant of BOLDMOVE in order to provide the C2\r\nwith information on the infected host starts with the string “gbk”. The comparable survey buffer of the\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 2 of 13\n\nLinux variant starts with “utf-8”, which indicates that this field designates character encoding. If we are to\r\nconsider “gbk” in this context, then this is an extension of a Chinese character set\r\nThe exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom\r\nimplants, is consistent with previous Chinese exploitation of networking devices.\r\nMandiant has previously reported on significant campaigns impacting networking devices, likely revealing a long-standing interest by China to embed cyber campaigns in the overarching telecommunications and networking\r\narchitecture used by organizations worldwide:\r\nIn April 2021, Mandiant reported extensively on the exploitation of Pulse Secure. Mandiant recently\r\nresponded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\nIn March 2021, Mandiant identified three zero-day vulnerabilities in SonicWall’s Email Security (ES)\r\nproduct that were being exploited in the wild. Mandiant’s investigations informed us that the adversary\r\nleveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a\r\nbackdoor, access files and emails, and move laterally into the victim organization’s network.\r\nOutlook\r\nMandiant has produced in depth reporting on the growing number of managed, internet-facing and connected\r\ndevices targeted by Chinese threat actors. This latest campaign may be a continuation of a long-standing practice\r\nby China-nexus cyber espionage actors. This campaign and infection vector also should be strong reminders of the\r\nimportance of keeping up with updates and patches, of externally facing devices or those exposed to the internet.\r\nThis campaign, and other similar campaigns, offer defenders a unique look into the vulnerabilities and gaps many\r\norganizations constantly face when services and networks are managed remotely. Given their configuration, it is\r\nvery hard to measure the scope and extent of malicious activity that results from exploiting internet facing\r\nnetwork devices, as we have little to no information that can indicate those devices are compromised.\r\nThere is no mechanism to detect malicious processes running on such devices, nor telemetry to proactively hunt\r\nfor malicious images deployed on them following an exploitation of a vulnerability. This makes network devices a\r\nblind spot for security practitioners and allows attackers to hide in them and maintain stealth for long periods,\r\nwhile also using them to gain foothold in a targeted network.\r\nBOLDMOVE Linux Analysis\r\nBOLDMOVE is a fully featured backdoor written in C and compiled with GCC 11.2.1. When executed it performs\r\na system survey and is capable of receiving commands from a C2 server that in turn allow attackers to control the\r\nfile system, spawn a remote shell, or relay traffic via the infected host.\r\nBased on indicators from the original Fortinet advisory, Mandiant was able to identify multiple Linux versions of\r\nBOLDMOVE. There are a core set of features across all observed instances of BOLDMOVE, Windows and\r\nLinux, and at least one Linux sample contained extended capabilities enabling it to alter specific behaviors and\r\nfunctionality of Fortinet devices, namely FortiGate Firewalls.\r\nCore Features\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 3 of 13\n\nUpon execution, BOLDMOVE attempts to form a session with a hard-coded C2 server. Once it is established, it\r\nperforms a system survey to collect information that identifies the infected machine to the C2. Information\r\ncollected is outlined in Table 1.\r\nIndex Field Value\r\n0 Encoding used for the strings in the survey buffer: utf-8  \r\n1 Hard-coded string that seemingly identifies the sample or campaign, e.g.,  “Cora/c”  \r\n2\r\nOS version string. For Linux-based operating systems this string has the format “Linux []”, wherein\r\nthe various fields are obtained from a call to the uname function. For non-Linux operating systems\r\nthis string has the format []. The substring is being constructed by reading data from one of the files\r\n/etc/system-release, /etc/os-release (looking for the values of the NAME= and VERSION=\r\nkeys),/migadmin/ng/vpn/map/pkginfo.json (looking for the value enclosed by the strings ver_s\\\":\\\"\r\nand \\\",\\\"chksum), /etc/debian_version.\r\n3 Host name  \r\n4 Comma-separated list of / entries that represent network interfaces on the host  \r\n5 The effective user ID of the backdoor's process (result of geteuid())  \r\n6 The process ID of the backdoor's process  \r\n7\r\nString of the format\r\ncwd=\\r\\nexecutable=\\r\\nevent=wv\\r\\nserver=139.180.128.142:443\\r\\n/proc/version=  \r\nTable 1: System Survey\r\nSubsequently, the C2 may send commands for execution that allow attackers to control the infected\r\ndevice. Command codes across platforms and versions of BOLDMOVE may vary but their core capabilities do\r\nnot appear to change and include:\r\nMajor\r\nCommand\r\nCode\r\nMinor\r\nCommand\r\nCode\r\nCommand\r\n0x0 0x0 Frees all resources and terminates the backdoor\r\n0x11 0x21\r\nLists information on all files in the system recursively, starting from the\r\nroot directory. In addition to the file's path, the information provided for\r\neach file is based on output of the stat function and includes the following\r\nfields of the stat structure (details on it can be found here): st_mode,\r\nst_size, st_mtim.tv_sec, st_uid, st_gid.\r\n0x11 0x0 Lists information on files recursively, starting from a given directory\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 4 of 13\n\n0x12 0x0 Creates new directory via mkdir\r\n0x13 0x0 Removes a directory via rmdir\r\n0x14 0x10\r\nGiven an attacker provided file path, removes an existing file (if such\r\nexists) and creates a new file instead\r\n0x14 0x21 Closes a file descriptor that was opened for writing\r\n0x14 0x32 Writes data to the created file\r\n0x15 0x10 Gets a file's size before reading from it\r\n0x15 0x21 Closes a file descriptor that was opened for reading\r\n0x15 0x40 Reads data from a formerly opened file\r\n0x20 0x0 Executes a shell command and sends back the output\r\n0x20 0x33 Executes a shell command without sending back an output\r\n0x21\r\n0x10, 0x21,\r\n0x43, 0x44,\r\n0x45\r\nCreates an interactive shell that leverages two pipes—one for processing\r\nshell input from the server and another for sending back shell outputs, thus\r\nsupporting an asynchronous session between the C2 and the infected host.\r\nThe various subcommands handle actions involved in forming and\r\nmaintaining the shell session\r\n0x22\r\n0x10, 0x21,\r\n0x32,0x33\r\nCreates an interactive shell that leverages a single pipe for both passing\r\nserver sourced inputs to the shell and retrieving command outputs from it.\r\nThe formed shell works in a synchronous mode, wherein the pipe can be\r\neither probed to retrieve shell output or written with input data in each\r\naccess to it. The various subcommands handle actions involved in forming\r\nand maintaining the shell session\r\n0x30\r\n0x15, 0x16,\r\n0x17, 0x18\r\nInitiates a network traffic relay session. The C2 sends a target address as an\r\nargument and further packets passed through sub-commands of this\r\ncommand are used to pass data back and forth to and from the target server\r\n0x53 0x10\r\nDeletes the backdoor's image and creates a new one with the same name as\r\npreparation for writing an updated backdoor image\r\n0x53 0x21 Closes the file descriptor opened for writing a backdoor image update\r\n0x53 0x32\r\nWrites data sent from the C2 server to the formerly opened file descriptor\r\nthat corresponds to the updated backdoor image\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 5 of 13\n\n0x54 0x0\r\nSpawns a new process of the backdoor with the argument 1, which would\r\nin turn attempt to execute an image with that name. The purpose of this\r\naction is unclear.\r\n0x55 0x0 Same as command 0x54\r\n0x56 0x0\r\nServes as an echo command; receives a command packet from the server\r\nand replies back with a packet that has the same major command code and\r\nblank body. Possibly used to check the infected host's connectivity\\state.\r\nTable 2: Supported commands\r\nThe Linux iteration of BOLDMOVE leverages several statically compiled libraries to implement its functionality:\r\nAn undetermined and likely custom library used for event handling (reminiscent of libevent). It operates in\r\na single-threaded mode, wherein each action is scheduled and executed as an event callback. It may allude\r\nto the fact that the developers aimed for supporting the infection of single core devices, among others.\r\nWolfSSL (also compiled in a single-threaded mode), which facilitates SSL encrypted communication to the\r\nC2 server.\r\nMusl libc\r\nUpon failure, the malware reruns itself in a new process. In addition, if the malware is executed with a command\r\nline argument, it would not initiate the backdoor logic but rather attempt to execute the provided argument as a\r\nnew process.\r\nPrior to starting the backdoor's logic, the malware calls the signal function in order to ignore the signals\r\nSIGCHLD, SIGHUP, SIGPIPE.\r\nExtended Features\r\nThe extended version of BOLDMOVE (MD5: 3191cb2e06e9a30792309813793f78b6) contains all the\r\naforementioned functionality but with additional features.\r\nThe extended version contains Execution Guardrails (T1480) by verifying that it is executing from a specific path.\r\nIt accomplishes this in the following manner:\r\n1. Retrieving its own path from /proc/self/exe\r\n2. Obtaining an inode from this resultant path via fstatat\r\n3. Obtain a secondary inode from the statically defined path /bin/wxd\r\n4. Comparing these two inode records\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 6 of 13\n\nFigure 1: Path Execution Guardrails\r\nThe extended version contains a command that can perform Indicator Blocking (T1562.006) by disabling Fortinet\r\ndaemons miglogd and syslogd. It also contains a command enabling it to patch memory address spaces of the\r\nsame logging daemons. Due to Mandiant being unable to obtain those executables from Fortinet devices, we are\r\nunable to accurately determine the nature of those patches. However, Mandiant assesses it is likely that they are\r\nintended to disable a logging capability during the backdoor’s run-time. Each patch data is kept in the following\r\nstruct:\r\nstruct st_log_patch_struct\r\n{\r\n char fortigate_version_name[24];\r\n __int64 target_addr1;\r\n __int64 patch_bytes1;\r\n __int64 target_addr2;\r\n __int64 patch_bytes2;\r\n}log_patch_struct;\r\nTable 4 in Appendix A summarizes the targeted FortiGate Devices, their corresponding patched addresses, and\r\nbytes.\r\nAdditionally, the extended version of BOLDMOVE contains a command capable of modifying proprietary\r\nFortinet logs on the system. It checks the following paths:\r\n/tmp/log\r\n/var/log/log\r\n/var/log\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 7 of 13\n\nFor filenames matching the format:\r\nelog\r\noffset/elog.ofs\r\noffset/elog..cidx\r\nOne of BOLDMOVE’s extended variant commands is capable of decompressing, parsing, and overwriting the\r\nundocumented structure pertaining to those proprietary log files allowing the attacker to modify chosen parts of\r\nthe logs.\r\nThe extended version contains a Watchdog like feature that may enable the malware to persist across upgrades. To\r\naccomplish this, BOLDMOVE monitors two files via the fstatat function:\r\n/data/lib/libgif.so\r\n/data/lib/libips.so\r\nIf the size of these files differs, BOLDMOVE performs the following actions:\r\nCreates a backup of the legitimate file /data/lib/libips.so stored at /data/lib/libiptcp.so\r\nOverwrites the legitimate library /data/lib/libips.so with a trojanized version of it located at\r\n/data/lib/libgif.so\r\nThus, if there were to be a system patch that replaced /data/lib/libips.so and the malware was still executing, it\r\nwould be able to undo the patch and maintain execution.\r\nIn addition, the extended version contains a command that allows the attackers to send requests to an internal\r\nFortinet service, possibly to modify device settings or expose internal parts of the associated network to the\r\ninternet. BOLDMOVE reads the contents of /dev/cmdb/vdom and parses its information to retrieve a numeric\r\nvalue, which may be associated with a virtual domain on the device. Then it creates a connection to “127.0.0.1”,\r\nlocalhost, over an attacker provided port. This suggests that a server is expected to run on that port locally. The\r\ncommand handler facilitates sending attacker-chosen data over the established connection and sending back any\r\nretrieved response back to the C2.\r\nTable 3 outlines some of the differences between the Windows and Linux variants of BOLDMOVE that were\r\nidentified by Mandiant:\r\n  Windows Linux\r\nCompiler\r\nC and compiled with MinGW\r\n(GCC: (GNU) 10.2.1 20210227)\r\nCompile Time: 2021-08-26 07:13:04\r\nC and compiled with GCC 11.2.1\r\n20211120\r\nCompile Time: Unknown\r\nSSL/TLS No Yes\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 8 of 13\n\nUserAgent\r\ncurl/6.12.34\r\n(this is a non-public version of libcurl, last v6\r\nbuild was 6.5; also, the malware itself does not\r\nmake actual use of libcurl)\r\ncurl/6.12.34\r\nC2 Private class C IP Address Globally routable IP Address\r\nSupports\r\nlight weight\r\nsystems\r\nNo\r\n Uses an event driven model wherein\r\nevent callbacks are used instead of\r\nthreads. This is facilitated by a library\r\nlike the one leveraged by the Linux\r\nvariant of BOLDMOVE, however the\r\nreason for using it in Windows is\r\nunclear.\r\nYes\r\nUses an event driven model,\r\nwherein event callbacks are used\r\ninstead of threads\r\nMusl is compiled statically into the\r\nmalware’s binary image.Musl has\r\nbeen associated for its lighter\r\nutilization of resources in\r\ncompraison to other libc variants.\r\nWolfSSL that is used by the\r\nmalware for encrypting traffic to\r\nthe C2 is also designed in part with\r\nembedded devices in mind.\r\nEncryption\r\nEstablished connection packets are encrypted\r\nwith Salsa20:\r\nKey: \u003c8_byte_pseudorandom_nonce\u003e ||\r\n“e8dm_$Gb”\r\nEstablished sessions are encrypted with\r\nAES128:\r\nKey: \u003c8_byte_pseudorandom_nonce\u003e ||\r\n“rg8P@TD(“\r\nIV: \u003c8_byte_pseudorandom_nonce\u003e ||\r\n“e5sm_$Gb”\r\nCampaign 0.1c#2021-08-26 15:13:01\r\nCharlotte/c(other campaign names were\r\nobserved in different samples of the Linux\r\nvariant)\r\nTable 3: Differences between the Windows and Linux variants of BOLDMOVE\r\nThe survey and commands are functionally equivalent amongst both Linux and Windows.\r\nWindows and Linux Variant Comparison\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 9 of 13\n\nTable 3 shows the distinction between the Windows and Linux variants of BOLDMOVE. Most importantly, the\r\nWindows variant appears to have been compiled a year before the Linux variants. This discrepancy in time could\r\nindicate that the attackers have been developing BOLDMOVE and possibly using it in the wild since that time.\r\nThe differences may offer insight into the functionality and intended use of the malware.\r\nThere are a few differences in choices of libraries that were statically compiled into each of the variants.\r\nWhile the WolfSSL library was used in Linux in order to encrypt traffic, the Windows variant does not\r\nmake use of it.  In addition, the Linux version leverages a statically compiled Musl libc library as opposed\r\nto standard libc functions imported as a result of compiling the Windows variant with MinGW. The usage\r\nof the Musl libc in the Linux variant along with a library that facilitates an event driven communication\r\nwith the C2 server, could indicate that the Linux version is generally intended to be used on embedded\r\ndevices, and devices with low processing power.\r\nMandiant assesses that the BOLDMOVE Linux variant was deployed on Fortinet devices after a successful\r\nexploitation of CVE-2022-42475. However, the method for initial infection from the Windows variant is\r\ncurrently unclear. With that in mind, a private class C IP address (192.168.120[.]206) that was used in the\r\nWindows variant could indicate that it was used to communicate with an infected device inside the network\r\nfollowing lateral movement or was merely used for testing.\r\nAcknowledgment\r\nMandiant would like to acknowledge Fortinet’s assistance in sharing information, coordinating, and analyzing\r\nMandiant’s findings to verify its veracity.\r\nAppendix A: Patches\r\nTable of patches made in memory addresses of  miglogd  and  syslogd  logging daemons on various FortiGate\r\nversions by the extended Linux version of the BOLDMOVE backdoor. Those patches are made seemingly in\r\norder to weaken logging mechanisms during the malware’s run-time.\r\nFortiGate\r\nVersion\r\nAddress 1\r\nBytes Written to\r\nAddress 1\r\nAddress 2\r\nBytes Written to\r\nAddress 2\r\nFG100F v7.0.5 0x1E4BFA8\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x25A6A50\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFG100F v7.0.7 0x1E88B68\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x2604C90\r\nE0 03 02 AA 1F 00 00\r\n71\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 10 of 13\n\nFG101F v6.4.10 0x1A5DD80\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x213C154\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFG101F v6.4.8 0x1A2FA90\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x20F0C00\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFG200D v6.0.11 0x1E4F9CC 48 89 D0 90 90 83 F8 00 0x0EC73DF 48 89 D0 90 90 49 89 C7\r\nFG200E v6.0.12 0x1DB524D 48 89 D0 90 90 83 F8 00 0x0F03262 48 89 D0 90 90 49 89 C5\r\nFG200E v6.4.4 0x19409FD 48 89 D0 90 90 83 F8 00 0x1FABDDA 48 89 D0 90 90 85 C0 7F\r\nFG200E v7.0.4 0x1E65991 48 89 D0 90 90 C7 43 08 0x25D5F31 48 89 D0 90 90 85 C0 7F\r\nFG200E v7.0.8 0x1ECAE81 48 89 D0 90 90 C7 43 08 0x2665951 48 89 D0 90 90 85 C0 7F\r\nFG200E v7.2.0 0x1F3AFD1 48 89 D0 90 90 C7 43 08 0x26EB5C1 48 89 D0 90 90 85 C0 7F\r\nFG201F v6.4.7 0x1AB581D 48 89 D0 90 90 83 F8 00 0x217156A 48 89 D0 90 90 85 C0 7F\r\nFG201F v6.4.9 0x1ABF90D 48 89 D0 90 90 83 F8 00 0x218388B 48 89 D0 90 90 85 C0 7F\r\nFG240D v6.0.12 0x1E5558C 48 89 D0 90 90 83 F8 00 0x0EC753F 48 89 D0 90 90 49 89 C7\r\nFG3H0E v6.2.10 0x2019ABD 48 89 D0 90 90 83 F8 00 0x1FB826B 48 89 D0 90 90 85 C0 7F\r\nFG5H0E v6.0.5 0x1CF537D 48 89 D0 90 90 83 F8 00 0x0EBD7B0 48 89 D0 90 90 49 89 C5\r\nFG6H1E v6.4.8 0x1A1E21D 48 89 D0 90 90 83 F8 00 0x20CE65A 48 89 D0 90 90 85 C0 7F\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 11 of 13\n\nFG6H1E v6.4.9 0x1A2862D 48 89 D0 90 90 83 F8 00 0x20DF7FB 48 89 D0 90 90 85 C0 7F\r\nFG6H1E v7.2.1 0x20AFCE1 48 89 D0 90 90 C7 43 08 0x28BF201 48 89 D0 90 90 85 C0 7F\r\nFG800D v6.2.10 0x20E18ED 48 89 D0 90 90 83 F8 00 0x2080AEB 48 89 D0 90 90 85 C0 7F\r\nFG800D v6.2.11 0x20E1B2D 48 89 D0 90 90 83 F8 00 0x2080D2B 48 89 D0 90 90 85 C0 0F\r\nFG800D v7.0.8 0x1F61271 48 89 D0 90 90 C7 43 08 0x272DCF1 48 89 D0 90 90 85 C0 7F\r\nFGT5HD v6.4.10 0x1A317CD 48 89 D0 90 90 83 F8 00 0x210250B 48 89 D0 90 90 85 C0 7F\r\nFGT60F v6.4.10 0x1953248\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x1FFD6A4\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFGT60F v6.4.4 0x1904898\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x1F7BF88\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFGT60F v6.4.8 0x192D018\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x1FB7450\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFGT60F v6.4.9 0x193B0B0\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x1FFC304\r\nE0 03 02 AA 1F 00 00\r\n71\r\nFGT80F v6.4.10 0x19F6360\r\nE0 03 02 AA 7F 0A 00\r\nB9\r\n0x20ADA54\r\nE0 03 02 AA 1F 00 00\r\n71\r\nVM64 v6.2.3 0x1A64193 48 89 D0 90 90 83 F8 00 0x0F2F646 48 89 D0 90 90 85 C0 48\r\nTable 4: Patches made in memory addresses of miglogd and syslogd logging daemons on various FortiGate\r\nversions\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 12 of 13\n\nAppendix B: IOCs\r\nBasic BOLDMOVE\r\nMD5: 12e28c14bb7f7b9513a02e5857592ad7\r\nSHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da\r\nExtended BOLDMOVE\r\nMD5: 3191cb2e06e9a30792309813793f78b6\r\nSHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb\r\nWindows version of BOLDMOVE\r\nMD5: 54bbea35b095ddfe9740df97b693627b\r\nSHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nhttps://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw\r\nPage 13 of 13\n\n https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw \n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFG101F v6.4.10 0x1A5DD80 0x213C154 \n B9 71 \n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFG101F v6.4.8 0x1A2FA90 0x20F0C00 \n B9 71 \nFG200D v6.0.11 0x1E4F9CC 48 89 D0 90 90 83 F8 00 0x0EC73DF 48 89 D0 90 90 49 89 C7\nFG200E v6.0.12 0x1DB524D 48 89 D0 90 90 83 F8 00 0x0F03262 48 89 D0 90 90 49 89 C5\nFG200E v6.4.4 0x19409FD 48 89 D0 90 90 83 F8 00 0x1FABDDA 48 89 D0 90 90 85 C0 7F\nFG200E v7.0.4 0x1E65991 48 89 D0 90 90 C7 43 08 0x25D5F31 48 89 D0 90 90 85 C0 7F\nFG200E v7.0.8 0x1ECAE81 48 89 D0 90 90 C7 43 08 0x2665951 48 89 D0 90 90 85 C0 7F\nFG200E v7.2.0 0x1F3AFD1 48 89 D0 90 90 C7 43 08 0x26EB5C1 48 89 D0 90 90 85 C0 7F\nFG201F v6.4.7 0x1AB581D 48 89 D0 90 90 83 F8 00 0x217156A 48 89 D0 90 90 85 C0 7F\nFG201F v6.4.9 0x1ABF90D 48 89 D0 90 90 83 F8 00 0x218388B 48 89 D0 90 90 85 C0 7F\nFG240D v6.0.12 0x1E5558C 48 89 D0 90 90 83 F8 00 0x0EC753F 48 89 D0 90 90 49 89 C7\nFG3H0E v6.2.10 0x2019ABD 48 89 D0 90 90 83 F8 00 0x1FB826B 48 89 D0 90 90 85 C0 7F\nFG5H0E v6.0.5 0x1CF537D 48 89 D0 90 90 83 F8 00 0x0EBD7B0 48 89 D0 90 90 49 89 C5\nFG6H1E v6.4.8 0x1A1E21D 48 89 D0 90 90 83 F8 00 0x20CE65A 48 89 D0 90 90 85 C0 7F\n Page 11 of 13 \n\n https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw \nFG6H1E v6.4.9 0x1A2862D 48 89 D0 90 90 83 F8 00 0x20DF7FB 48 89 D0 90 90 85 C0 7F\nFG6H1E v7.2.1 0x20AFCE1 48 89 D0 90 90 C7 43 08 0x28BF201 48 89 D0 90 90 85 C0 7F\nFG800D v6.2.10 0x20E18ED 48 89 D0 90 90 83 F8 00 0x2080AEB 48 89 D0 90 90 85 C0 7F\nFG800D v6.2.11 0x20E1B2D 48 89 D0 90 90 83 F8 00 0x2080D2B 48 89 D0 90 90 85 C0 0F\nFG800D v7.0.8 0x1F61271 48 89 D0 90 90 C7 43 08 0x272DCF1 48 89 D0 90 90 85 C0 7F\nFGT5HD v6.4.10 0x1A317CD 48 89 D0 90 90 83 F8 00 0x210250B 48 89 D0 90 90 85 C0 7F\n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFGT60F v6.4.10 0x1953248 0x1FFD6A4 \n B9 71 \n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFGT60F v6.4.4 0x1904898 0x1F7BF88 \n B9 71 \n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFGT60F v6.4.8 0x192D018 0x1FB7450 \n B9 71 \n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFGT60F v6.4.9 0x193B0B0 0x1FFC304 \n B9 71 \n E0 03 02 AA 7F 0A 00 E0 03 02 AA 1F 00 00\nFGT80F v6.4.10 0x19F6360 0x20ADA54 \n B9 71 \nVM64 v6.2.3 0x1A64193 48 89 D0 90 90 83 F8 00 0x0F2F646 48 89 D0 90 90 85 C0 48\nTable 4: Patches made in memory addresses of miglogd and syslogd logging daemons on various FortiGate\nversions \n Page 12 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw" ], "report_names": [ "chinese-actors-exploit-fortios-flaw" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434851, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41c98771353e01a3f33f337dd54f204de11f0961.pdf", "text": "https://archive.orkl.eu/41c98771353e01a3f33f337dd54f204de11f0961.txt", "img": "https://archive.orkl.eu/41c98771353e01a3f33f337dd54f204de11f0961.jpg" } }