‘UMBRELLA STAND’ Malware Campaign Exploits FortiGate Firewalls, NCSC Reports

The UK National Cyber Security Centre (NCSC) has released an in-depth technical report exposing a sophisticated malware campaign, dubbed “UMBRELLA STAND,” that specifically targets Fortinet FortiGate 100D firewalls.

The malware leverages previously unreported techniques for persistence, defense evasion, and remote command execution, allowing threat actors to establish long-term, covert access to enterprise networks.

Advanced Threat Targets Fortinet Network Devices

According to the NCSC analysis Report, UMBRELLA STAND comprises a modular toolset, delivered through exploitation of Fortinet device vulnerabilities.

The campaign is characterized by its use of AES-encrypted command and control (C2) communications over port 443, masquerading as legitimate TLS traffic.

Unlike standard TLS, however, the malware employs a fake handshake, enabling it to evade many traditional security monitoring solutions.

The initial infection vector exploits exposed management interfaces or other vulnerabilities in the FortiGate 100D series.

Once implanted, UMBRELLA STAND deploys a core set of binaries, each with a specialized role.

The primary module (“blghtd”) is responsible for networking and tasking, while auxiliary components maintain persistence, enable process injection, and monitor the main process to ensure continuous operation.

Associated tools such as customized versions of BusyBox, nbtscan, tcpdump, and openLDAP are leveraged to support reconnaissance, lateral movement, and traffic capture within victim environments.

Malware Uses Custom Loader

The malware’s C2 infrastructure is highly configurable, allowing operators to alter beacon intervals and C2 endpoints by remote command.

UMBRELLA STAND can execute arbitrary shell commands on the device, manipulate system files, and exfiltrate sensitive data through chunked file-read operations.

Notably, the binary “a” serves as a file encryptor/decryptor, using weak, easily brute-forced AES keys, which the NCSC was able to recover and use to decrypt related payloads.

The persistence mechanisms identified by NCSC include both a reboot hooker which overwrites the device’s reboot functionality to reload the malware and dynamic linker hijacking via /etc/ld.so.preload.

The latter ensures that the “libguic.so2” module is injected into new processes, facilitating malware reinitialization after system restarts.

To further evade detection, the campaign employs several operational security measures: binaries and utilities are stored in hidden directories (/data2/.ztls/), use generic-sounding file names, and overwrite process names to mimic legitimate system processes (e.g., /bin/httpsd).

The malware also modifies the FortiOS sysctl utility, abusing legitimate functionality to conceal its presence from administrators.

UMBRELLA STAND shows parallels with other advanced campaigns, particularly “COATHANGER,” sharing similar loader architectures and string encryption techniques.

However, additional developments such as encrypted stack strings, command grouping, and improved process hiding demonstrate ongoing evolution in threat capability.

The NCSC report recommends organizations with FortiGate deployments urgently review system logs, monitor for anomalous TLS traffic on port 443 without proper handshakes, and search for indicators of compromise (IOCs) listed below.

The malware’s sophistication and stealth highlight the need for network defenders to deploy layered detection, promptly patch exposed devices, and harden management interfaces.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates