TL;DR
FortiClient EMS authentication bypass (CVE-2026-35616) actively exploited to deliver credential stealer malware despite patching. A CISA contractor accidentally published AWS GovCloud keys and agency secrets on GitHub. Android RAT BTMOB spreading via phishing with a no-code builder interface. Immediate credential rotation and GitHub secret scanning required.
Executive Summary
- FortiClient Enterprise Management Server (EMS) vulnerability (CVE-2026-35616) is being actively exploited to distribute credential-stealing malware, despite availability of patches [10].
- A CISA contractor maintained a public GitHub repository exposing privileged AWS GovCloud credentials and internal agency systems, prompting congressional scrutiny [12, 14].
- BTMOB Android remote access trojan, distributed via phishing with a customizable malware builder, is spreading across Brazil and Latin America [8, 20].
- Cybercriminals have registered over 4,300 fraudulent domains impersonating FIFA since August 2025, targeting 2026 World Cup ticket buyers [23].
- Gogs self-hosted Git service contains a critical RCE vulnerability (CVSS 9.4) allowing authenticated users to execute arbitrary code [1].
Top Threats Today
1. FortiClient EMS Authentication Bypass Exploited for Credential Theft
Severity: HIGH Affected: Government, Technology, Finance
Threat actors are actively exploiting a critical authentication bypass vulnerability in Fortinet FortiClient Endpoint Management Server (EMS) to deliver a credential stealer called EKZ [2]. The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints [1]. Although Fortinet rolled out hotfixes in April and warned the vulnerability had been exploited as a zero-day, attackers continue to leverage the flaw in targete ⚠d campaigns . The vulnerability carries significant risk because it affects organizations that rely on FortiClient EMS for centralized endpoint security management.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- If you have not already applied Fortinet's hotfix for FortiClient EMS, prioritize patching immediately
- Audit managed endpoints for signs of credential stealer presence; review endpoint logs for suspicious process execution
- Rotate credentials for users and service accounts that may have been exposed via EMS compromise
- Monitor threat intelligence feeds for EKZ malware IOCs and block known C2 infrastructure
2. CISA Contractor Leaks AWS GovCloud Keys and Agency Secrets via Public GitHub
Severity: HIGH Affected: Government
A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems [2]. The exposure remained public until this past weekend before being remediated ⚠[2]. Security experts noted the serious implications of the public archive, and the incident has prompted demands for answers from lawmakers in both houses of Congress [1]. This represents a significant supply-chain and insider-risk incident affecting U.S. critical infrastructure security agencies.
Sources:[1] Krebs on Security[2] Krebs on Security
Recommended Action
- CISA and AWS should immediately rotate all exposed GovCloud credentials and audit access logs for unauthorized activity
- Conduct forensic analysis of the GitHub repository to determine exposure duration and what internal systems may have been accessed
- Review all AWS GovCloud API calls from external IP addresses during the exposure window
- Organizations reliant on CISA guidance should verify the integrity of any security advisories or tools downloaded during the exposure period
3. BTMOB Android Remote Access Trojan Spreading via Phishing with Malware Builder
Severity: HIGH Affected: Finance, Retail
An Android remote access trojan named BTMOB is being offered as a service to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures [1]. The malware enables full device takeover, combining financial theft with data exfiltration and remote access capabilities [3]. BTMOB is propagating across Brazil and Latin America via a licensing (MaaS) model that lowers the barrier to entry for threat actors [2]. Users are being targeted via phishing emails and fake app installers.
Sources:[1] BleepingComputer[2] Dark Reading[3] SecurityWeek
Recommended Action
- Deploy mobile threat defense solutions to detect and block BTMOB variants and similar RAT families
- Educate users to avoid installing apps outside official app stores and to verify app publisher identity
- Enable Google Play Protect and ensure mobile device management (MDM) enrollment on all corporate devices
- Monitor for BTMOB IOCs and command-and-control domains; block known malicious domains at network perimeter
4. Fraudulent FIFA Domains Targeting 2026 World Cup Ticket Buyers
Severity: MEDIUM Affected: Finance, Retail
Cybercriminals, identified as a Chinese-speaking fraud gang, have registered more than 4,300 fraudulent domains impersonating FIFA's official web presence since August 2025 [2]. The FBI is warning of fake websites ahead of the 2026 World Cup that are designed to steal personal and financial information, sell fake tickets and hospitality packages, and push other fraud related to the event [1]. These sites target victims seeking to purchase legitimate World Cup tickets and hospitality packages.
Sources:[1] BleepingComputer[2] The Record
Recommended Action
- Publish alerts to customers warning against third-party ticket resellers; direct users to FIFA.com for official ticket sales
- Monitor domain registrations for FIFA brand variations and report newly registered fraudulent domains to registrars and law enforcement
- Implement email authentication (SPF, DKIM, DMARC) to prevent spoofing of legitimate FIFA communications
- Block known fraudulent domains at DNS and network levels
5. Gogs Self-Hosted Git Service Critical RCE Vulnerability
Severity: HIGH Affected: Technology, Finance, Government
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions [1]. The flaw is rated 9.4 on the CVSS scoring system according to Rapid7 [1]. While the vulnerability does not currently have an assigned CVE identifier, the high severity rating and RCE nature warrant immediate investigation by organizations running Gogs instances.
Sources:[1] The Hacker News
Recommended Action
- Review Gogs project security advisories and GitHub for available patches or workarounds
- If running Gogs in a production environment, consider temporarily restricting access to authenticated users only pending patch availability
- Audit Gogs access logs for suspicious activity or code execution attempts by authenticated users
- Evaluate upgrading to a maintained Git service platform if patches are delayed
Today’s Action Checklist
- ☐ URGENT: Verify FortiClient EMS patches are deployed across all endpoint management servers; check managed endpoints for EKZ credential stealer indicators
- ☐ URGENT: Audit and rotate any AWS credentials that may have been exposed via the CISA GitHub incident; review GovCloud access logs
- ☐ URGENT: Scan email and endpoint logs for BTMOB Android malware phishing campaigns; deploy mobile threat defense
- ☐ HIGH: If running Gogs, check for available patches and restrict access pending remediation
- ☐ HIGH: Block known fraudulent FIFA domains and add customer warnings about fake ticket-sale phishing