‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls
The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA STAND”, actively targeting internet-facing Fortinet FortiGate firewalls. This campaign is designed for long-term persistence and covert access to enterprise networks through stealthy exploitation of FortiOS vulnerabilities.
- Published: June 24, 2025
- Threat Level: High
- Targeted Devices: Fortinet FortiGate 100D Series
Technical Overview
UMBRELLA STAND is a modular malware framework that:
- Establishes persistent remote access via hijacking reboot functions and dynamic linker hijacking (ldpreload)
- Evades detection through fake TLS communication on port 443 and file obfuscation
- Executes shell commands and captures network traffic using tools like BusyBox, tcpdump, and nbtscan
Unlike legitimate TLS traffic, UMBRELLA STAND sends AES-encrypted payloads using fake handshake headers to a hardcoded C2 IP: 89.44.194.32, making malicious traffic blend into HTTPS streams.
⚙️ Capabilities and Persistence
- Remote Command Execution via ash and BusyBox shells
- Configurable Beaconing intervals and dynamic C2 redirection
- Persistence through:
- Modified reboot functions
- ld.so.preload injection (libguic.so)
- Hidden directories (/data2/.ztls/)
- Modified reboot functions
- Process Hiding using impersonation (e.g., renaming processes to /bin/httpsd)
- Malicious sysctl binary manipulates legitimate Fortinet protections to hide payloads
Indicators of Compromise (IOCs)
| Type | Description | Value/Path |
| IPv4 | C2 Infrastructure | 89.44.194.32 |
| Directory | Hidden Directory | /data2/.ztls/ |
| File | Main Networking Binary | blghtd |
| File | Watchdog Process | jvnlpe |
| File | BusyBox Variant | lidwok |
| Process | Impersonation Name | /bin/httpsd |
| Path | Temp File | /tmp/%d.sv |
| Path | Config File (.ini) | /data2/tmp/%s.ini |
| YARA | Detection Rules | UMBRELLA_STAND_stack_constants_used_for_cryptUMBRELLA_STAND_injected_tool_load_mechanism |
Recommended Actions
For organizations using FortiGate firewalls should immediately path to the latest FortiOS versions and monitor for suspicious TLS traffic on port 443.
YARA rules provided by NCSC can be deployed to scan for encrypted strings and injected loaders.
Need Help? Contact OP Innovate
Our incident response and red team experts recommend proactive hunting across device firmware and logs, not just endpoint monitoring.
If you suspect compromise or need assistance in validating exposure, contact OP Innovate’s Incident Response team immediately.
