Hackers Use Fake Fortinet VPN Tool to Evade Antivirus and Install Malware
Published
- Deceptive Pop-Up: Fake Fortinet VPN “Compliance Checker” tricks users into running hidden PowerShell commands.
- Cache Smuggling: Malware disguised as image cached locally, bypassing antivirus and download detection tools.
- Ransomware Risk: Attack method already adopted by ransomware groups to stealthily infect victim systems.
Cybersecurity researchers have uncovered a new campaign where hackers use a fake Fortinet VPN “Compliance Checker” tool to install malware while bypassing antivirus and download monitoring tools. The attack combines social engineering, cache smuggling, and identity spoofing to quietly infect devices.
Fake Fortinet Pop-Up Tricks Users
According to reports from Expel and independent researcher P4nd3m1cb0y, attackers are creating websites that mimic a Fortinet FortiClient “Compliance Checker” pop-up. Victims are instructed to copy a supposed file path from the dialog and paste it into File Explorer.
However, Fortinet has no such public “Compliance Checker” pop-up, it’s a fake. The attackers use a deceptive file path padded with over 100 blank spaces to conceal a PowerShell command. When victims paste and execute it, the command silently runs malicious code in the background.
Meanwhile, a hidden JavaScript script on the phishing site forces the browser to fetch what appears to be an image file. This image is then saved to the local browser cache, but it’s actually a ZIP file containing malware.
How Cache Smuggling Helps Bypass Security
This method, known as cache smuggling, lets hackers hide malware in the browser’s cache instead of downloading it directly. Since most antivirus tools and monitoring systems look for direct downloads or PowerShell scripts making web requests, the attack goes unnoticed.
Once in the cache, the PowerShell script scans for the fake image file, recognizes the embedded ZIP archive, extracts it, and saves the payload as FortiClientComplianceChecker.exe, the actual malware.
Researchers explain that this approach is particularly dangerous because it avoids traditional detection points, letting the malware reach the device without raising any security alerts.
Ransomware Groups Already Using the Tactic
While details about the attackers and their targets remain limited, researchers warn that some ransomware groups have already started using this method to distribute their payloads. The stealthy nature of the attack makes it an attractive option for threat actors looking to bypass advanced endpoint protections.
How to Stay Safe
Security experts recommend the following precautions:
- Never copy or execute file paths or commands from pop-ups or unverified websites.
- Always confirm the legitimacy of any compliance or security prompt through official Fortinet or IT channels.
- Keep browsers, antivirus tools, and operating systems up to date.
- Use endpoint protection tools that monitor cache activity and PowerShell behavior, not just downloads.
- Educate users to be cautious of unexpected pop-ups, especially those requesting system interaction.
This new campaign highlights how cybercriminals continue to refine their social engineering and malware delivery tactics to stay one step ahead of security defenses.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular