Cybersecurity researchers have revealed a new threat posed by DEEPDATA, a sophisticated malware framework developed by the China-linked threat actor BrazenBamboo. DEEPDATA leverages an unpatched zero-day vulnerability in Fortinet’s FortiClient VPN software for Windows to extract user credentials directly from the program’s memory. This vulnerability, first identified in July 2024, remains unresolved, leaving users of FortiClient exposed to potential exploitation. DEEPDATA’s discovery highlights the increasing complexity of post-exploitation tools and the risks posed by unpatched security flaws.
The malware operates as a modular framework consisting of a DLL loader, “data.dll,” and an orchestrator module, “frame.dll,” which decrypts and executes up to 12 plugins. Among these is a FortiClient-specific plugin designed to harvest VPN credentials. According to Volexity researchers, DEEPDATA was built for extensive data collection, capable of exfiltrating browser information, application passwords, and Wi-Fi configurations. These capabilities make it a powerful tool for cyber espionage, enabling attackers to maintain long-term access to compromised systems and gather critical intelligence.
DEEPDATA is not an isolated development. It shares infrastructure and code-level similarities with LightSpy, a malware family targeting macOS, iOS, and Windows, attributed to Chinese state-sponsored actors. BlackBerry recently reported that LightSpy has been used to compromise popular communication platforms like WhatsApp, Signal, Telegram, and Microsoft Outlook. The overlap between these malware families points to a coordinated effort by a private enterprise or centralized entity developing advanced tools for state-sponsored campaigns. Researchers also noted the use of a loader, BH_A006, previously linked to another Chinese threat actor known as Space Pirates, suggesting possible collaboration or shared resources.
Despite the critical nature of this vulnerability, Fortinet has yet to release a patch since it was disclosed by Volexity in mid-2024. This delay underscores the urgency for organizations to employ robust detection measures and ensure comprehensive monitoring of VPN client usage. With BrazenBamboo continuing to refine its capabilities and develop multi-platform tools, the risk of exploitation remains high. The findings serve as a reminder of the need for vigilance in addressing security flaws, particularly in tools that are integral to secure remote work and communication.
