{ "id": "69fef3d9-64e1-4af1-829f-f641b54079fd", "created_at": "2026-04-10T03:20:34.118754Z", "updated_at": "2026-04-10T03:22:17.906399Z", "deleted_at": null, "sha1_hash": "b72d5bb67df9749a9569834cbc55332599493c87", "title": "Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 582430, "plain_text": "Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop\r\nMalware\r\nBy The Hacker News\r\nPublished: 2023-01-20 · Archived: 2026-04-10 02:46:29 UTC\r\nA suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a\r\nzero-day in attacks targeting a European government entity and a managed service provider (MSP) located in\r\nAfrica.\r\nTelemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as\r\nOctober 2022, at least nearly two months before fixes were released.\r\n\"This incident continues China's pattern of exploiting internet facing devices, specifically those used for managed\r\nsecurity purposes (e.g., firewalls, IPS\\IDS appliances etc.),\" Mandiant researchers said in a technical report.\r\nThe attacks entailed the use of a sophisticated backdoor dubbed BOLDMOVE, a Linux variant of which is\r\nspecifically designed to run on Fortinet's FortiGate firewalls.\r\nThe intrusion vector in question relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow\r\nvulnerability in FortiOS SSL-VPN that could result in unauthenticated remote code execution via specifically\r\nhttps://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html\r\nPage 1 of 2\n\ncrafted requests.\r\nEarlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target\r\ngovernments and other large organizations with a generic Linux implant capable of delivering additional payloads\r\nand executing commands sent by a remote server.\r\nThe latest findings from Mandiant indicate that the threat actor managed to abuse the vulnerability as a zero-day to\r\nits advantage and breach targeted networks for espionage operations.\r\n\"With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth\r\nunderstanding of systems, services, logging, and undocumented proprietary formats,\" the threat intelligence firm\r\nsaid.\r\nThe malware, written in C, is said to have both Windows and Linux flavors, with the latter capable of reading data\r\nfrom a file format that's proprietary to Fortinet. Metadata analysis of the Windows variants of the backdoor shows\r\nthat they were compiled as far back as 2021, although no samples have been detected in the wild.\r\nBOLDMOVE is designed to carry out a system survey and is capable of receiving commands from a command-and-control (C2) server that in turn allows attackers to perform file operations, spawn a remote shell, and relay\r\ntraffic via the infected host.\r\nAn extended Linux sample of the malware comes with extra features to disable and manipulate logging features in\r\nan attempt to avoid detection, corroborating Fortinet's report.\r\n\"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom\r\nimplants, is consistent with previous Chinese exploitation of networking devices,\" Mandiant noted.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html\r\nhttps://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html" ], "report_names": [ "new-chinese-malware-spotted-exploiting.html" ], "threat_actors": [], "ts_created_at": 1775791234, "ts_updated_at": 1775791337, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b72d5bb67df9749a9569834cbc55332599493c87.pdf", "text": "https://archive.orkl.eu/b72d5bb67df9749a9569834cbc55332599493c87.txt", "img": "https://archive.orkl.eu/b72d5bb67df9749a9569834cbc55332599493c87.jpg" } }