A zero-day vulnerability in Fortinet's Windows VPN client, FortiClient, was discovered by Volexity, allowing user credentials to remain in process memory after authentication. This vulnerability was exploited by BrazenBamboo, a Chinese state-affiliated threat actor, using a plugin in their DEEPDATA malware. DEEPDATA is a modular post-exploitation tool designed for Windows systems, capable of stealing sensitive information like credentials, chat data, and browser history. A specific plugin targeting FortiClient extracts credentials and server information directly from process memory, leveraging the vulnerability.
BrazenBamboo is known for developing multi-platform malware families, including DEEPDATA, DEEPPOST, and LIGHTSPY. DEEPPOST focuses on data exfiltration, transferring files to remote servers via HTTPS, while LIGHTSPY targets multiple operating systems, including iOS, Android, macOS, and now Windows. The Windows variant of LIGHTSPY demonstrates unique functionality, such as enhanced command-and-control (C2) capabilities and a distinct plugin architecture for remote surveillance. Both DEEPDATA and LIGHTSPY share overlapping C2 infrastructure and development methods, strongly linking them to the same threat actor.
Analysis of BrazenBamboo’s infrastructure revealed a lack of operational security, typical of domestic surveillance operations. The C2 operator panel includes references to domestic law enforcement and supports multiple users, suggesting that BrazenBamboo develops tools for governmental clients. The continued development of their malware families and the scale of their data collection highlight the group’s technical sophistication and operational longevity.