216.73.217.80

Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices

· Published 23/06/2025 11:34 · Modified 24/06/2025 14:32

Export JSON

Essential information

Published
23/06/2025 11:34
Modified
24/06/2025 14:32
Tags
2025-06-23 aes encryption c2 defense evasion firewall fortinet persistence process injection remote shell shoe rack umbrella stand
Related entities
11 observables, 2 malware, 2 others

Description

is a sophisticated malware targeting FortiGate 100D series firewalls produced by . It contains execution functionality, configurable beacon frequency, and AES-encrypted communications. The malware uses fake TLS on port 443 to beacon to its server and has the ability to run shell commands. It employs various techniques such as hidden folders, generic filenames, and string encryption. also has mechanisms through reboot hooking and ldpreload. Associated tooling includes BusyBox, nbtscan, tcpdump, and openLDAP. The malware demonstrates operational security considerations and shares similarities with previously reported COATHANGER malware.

External references