A newly disclosed zero-day vulnerability in Fortinet's FortiClient for Windows has been exploited by a threat actor known as BrazenBamboo to steal VPN credentials. This exploitation is part of a sophisticated malware framework called DEEPDATA, researchers at Volexity revealed.
Who is BrazenBamboo?
BrazenBamboo is a China-linked threat actor with a history of developing advanced cyber espionage tools, including:
The Exploitation Process
The zero-day vulnerability, reported by Volexity in July 2024, allows BrazenBamboo to extract VPN credentials from FortiClient by exploiting the process memory. At the core of DEEPDATA is a DLL loader (data.dll), which decrypts and launches multiple plugins via an orchestrator module (frame.dll).
Key Findings:
Despite disclosure to Fortinet, the vulnerability remains unpatched, leaving users exposed to potential attacks.
Expanding Threat Capabilities
BrazenBamboo’s tools are interconnected, with LightSpy sharing code and infrastructure with DEEPDATA, suggesting a private enterprise developing malware for state-sponsored operations. LightSpy’s Windows variant incorporates plugins for:
The orchestrator behind LightSpy, BH_A006, has historical links to the suspected Chinese group Space Pirates, known for targeting Russian entities.
Implications of the Attack
The DEEPDATA and DEEPPOST frameworks expand BrazenBamboo’s espionage capabilities, with potential impacts including:
Recommendations for Organizations
Given the severity of the vulnerability, organizations are advised to:
The Bigger Picture
BrazenBamboo’s operational longevity and multi-platform capabilities underscore the need for robust cybersecurity defenses. As state-sponsored actors continue to refine their techniques, staying ahead of the threat curve is critical for organizations globally.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067