Campaign comparison

FortiGate Admin-Hijack Operator Plants Hidden Backdoors and Steals Full Device Configuration vs Polydrop: Dissecting a Four-Stage Implant Chain Delivered via Langflow RCE

2026-06-09  ·  2026-06-03

Link signals

Analytic Same stage(s) reached by different techniques: persistence, defense-evasion, exfiltration — same objective, different method
Commodity Shared ATT&CK technique(s): T1190 — commodity, many actors share these

Actor & objective

Actor z0r0 (suspected) vs unattributed different
Objective access-resale vs data-exfiltration different

Kill chain

= same stage & technique   same stage, different technique   unique to one campaign

FortiGate Admin-Hijack Operator Plants Hidden Backdoors and Steals Full Device Configuration

  1. • 1. reconnaissance
    admin login probing (UA Research/1.0) + firmware version check via python-requests/2.34.2
  2. = 2. initial-access · T1190
    CVE-2022-40684 auth bypass via Forwarded: for=127.0.0.1, after failed CVE-2024-21762 SSL-VPN heap-spray attempt
  3. ≠ 3. persistence · T1136.001
    created 6 backdoor super_admin accounts (fortipwn_test, fw1/fw2/fw3, fw_api, fortipwn_admin)
  4. ≠ 4. persistence · T1098.004
    planted SSH key on admin account (fingerprint withheld)
  5. ≠ 5. defense-evasion · T1564
    set hidden:1 on admin account (invisible in management GUI)
  6. ≠ 6. defense-evasion · T1556.006
    disabled two-factor authentication on admin account
  7. ≠ 7. exfiltration · T1552.001
    downloaded full FortiOS config backup x3 from two IPs (LDAP bind, VPN, SNMP creds)

Polydrop: Dissecting a Four-Stage Implant Chain Delivered via Langflow RCE

  1. = 1. initial-access · T1190
    unauth RCE via Langflow code-eval endpoint
  2. • 2. execution · T1059.006
    python one-liner stages the Go loader
  3. ≠ 3. defense-evasion · T1027
    garble-obfuscated symbols, GoReSym-resistant
  4. ≠ 4. persistence · T1543
    multi-init systemd + cron + shell rc
  5. ≠ 5. exfiltration · T1041
    Alibaba OSS SDK upload over TLS

Side by side

green = shared by both campaigns.

FortiGate Admin-Hijack Operator Plants Hidden Backdoors and Steals Full Device Configuration

Polydrop: Dissecting a Four-Stage Implant Chain Delivered via Langflow RCE

Procedures
config-backup-exfilexploit-escalation:try-newer-then-pivothidden-admin-persistence:hidden-flagmfa-disableredundant-backdoor-accountsssh-key-implanttrusthost-any:0.0.0.0/0
arch-sweep:uname-m->arch-tagged-urlfileless:memfd+fexecvehistory-suppression:HISTFILEruntime-tasking:no-targeting-in-binary
Toolmarks
account-naming:fortipwn_password-style:pentest (Test1234!/Pwn3d123!)
buildenv:/home/vbccsbpacker:garble-no-literals
C2 protocol
tcp+single-byte-xor; url-grammar ?h=&p=&t=tcp&a={l64|l32|a64|a32}&stage=true
Tooling
custom-cve-2022-40684-exploitcve-2024-21762-modulepython-requests
alibaba-oss-sdkgarblememfd-loader
Capabilities
MFA disableSSH key implantationconfig exfiltrationhidden-admin persistence
fileless-loadermemfd-execmulti-init-persistencesocks5-tunnel
C2
149.104.29.201
ASNs
AS139659
CVEs
CVE-2022-40684CVE-2024-21762
CVE-2025-3248
Products
FortiGate
Langflow
Sectors
ai-ml-tooling
Geographies
global

← Compare a different pair