NCSC says campaign represents a significant evolution in infrastructure-focused threats, combining stealth, resilience, and operational control.
A high-severity warning has been made about an advanced malware campaign, dubbed UMBRELLA STAND, targeting Fortinet’s firewalls.
The NCSC warning said that the malware exploits device vulnerabilities and camouflages its activities using fake TLS traffic and AES encryption. Targeting Fortinet FortiGate 100D firewalls NCSC researchers found that the malware operates via a modular framework that includes BusyBox utilities, tcpdump, openLDAP tools, and stealth mechanisms like generic Linux process names.
UMBRELLA STAND also implements advanced persistence, rewriting the Fortinet reboot function and leveraging ld.so.preload to reinitiate itself silently on system startups. It also modifies FortiOS binaries to conceal its files in protected directories, effectively hiding from routine admin checks.
The campaign represents a significant evolution in infrastructure-focused threats, combining stealth, resilience, and operational control in a package tailored for deeply embedded exploitation.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
