Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices
Essential information
- Published
- 23/06/2025 11:34
- Modified
- 24/06/2025 14:32
- Tags
- 2025-06-23 aes encryption c2 defense evasion firewall fortinet persistence process injection remote shell shoe rack umbrella stand
- Related entities
- 11 observables, 2 malware, 2 others
Description
UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has the ability to run shell commands. It employs various defense evasion techniques such as hidden folders, generic filenames, and string encryption. UMBRELLA STAND also has persistence mechanisms through reboot hooking and ldpreload. Associated tooling includes BusyBox, nbtscan, tcpdump, and openLDAP. The malware demonstrates operational security considerations and shares similarities with previously reported COATHANGER malware.