ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More

Summary

ThreatsDay Bulletin covers multiple active threats including FortiGate RaaS exploitations by The Gentlemen group, critical ITSM vulnerabilities in BMC FootPrints, and stealthy C2 malware (SnappyClient) delivered via Hijack Loader. Additional threats include CursorJack MCP deep-link abuse, mass Citrix exploitation campaigns, and Teams-based phishing for remote access.

Full text

ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More Ravie LakshmananMar 19, 2026Cybersecurity / Hacking News ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do. Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore. A few stories are clever in a bad way. Others are just frustratingly avoidable. Overall, it feels like quiet pressure is building in places that matter. Skim it or read it properly, but don’t skip this one. Emerging RaaS exploiting FortiGate flaws The Gentlemen RaaS Detailed Group-IB has shed light on the various tactics adopted by The Gentlemen, a nascent Ransomware-as-a-Service (RaaS) operation that consists of about 20 members. It originated from a payment dispute after its operator "hastalamuerte" opened a public arbitration thread on the RAMP cybercrime forum, accusing Qilin ransomware operators of unpaid affiliate commission amounting to $48,000. The group primarily uses CVE-2024-55591, a critical authentication bypass vulnerability in FortiOS/FortiProxy, for initial access. "The group maintains an operational database of approximately 14,700 already exploited FortiGate devices globally," the company said. "Separate from exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack." The Gentlemen also employs defense evasion via the bring your own vulnerable driver (BYOVD) technique to terminate security processes at the kernel level. About 94 organizations have already been attacked by this threat group since its emergence in July/August 2025. Pre-auth RCE chain in ITSM platform Multiple Flaws in BMC FootPrints Four security flaws (CVE-2025-71257, CVE-2025-71258, CVE-2025-71259, and CVE-2025-71260) have been disclosed in BMC FootPrints, a widely deployed ITSM solution, that could be chained into pre-authentication remote code execution. The attack sequence begins with an authentication bypass (CVE-2025-71257) that extracts a guest session token ("SEC_TOKEN") from the password reset endpoint, which is then used to reach an unsanitized Java deserialization sink (CVE-2025-71260) in the "/aspnetconfig" endpoint's "__VIEWSTATE" parameter. Exploitation via the AspectJWeaver gadget chain enables arbitrary file write to the Tomcat web root directory, achieving full remote code execution. Armed with the SEC_TOKEN, an attacker could also exploit two SSRF flaws (CVE-2025-71258 and CVE-2025-71259) and potentially leak internal data. The issues were addressed in September 2025. Loader deploys stealthy C2 malware Hijack Loader Drops SnappyClient The malware loader known as Hijack Loader is being used to deliver a previously undocumented, C++-based command-and-control (C2) framework known as SnappyClient. "SnappyClient has an extended list of capabilities, including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications," Zscaler ThreatLabz said. "SnappyClient employs multiple evasion techniques to hinder endpoint security detection, including an Antimalware Scan Interface (AMSI) bypass, as well as implementing Heaven’s Gate, direct system calls, and transacted hollowing. SnappyClient receives two configuration files from the C2 server, which contain a list of actions to perform when a specified condition is met, along with another that specifies applications to target for data theft." The framework was first discovered in December 2025. The attack chain involves the distribution of malicious payloads after a user visits a website impersonating the Spanish telecom firm Telefónica. It's assessed that the primary use for SnappyClient is cryptocurrency theft, with a possible connection between the developers of HijackLoader and SnappyClient based on observed code similarities. Deep link abuse enables command execution CursorJack Abuses Deep Links for Command Execution Proofpoint has detailed a new technique called CursorJack that abuses Cursor's support for Model Context Protocol (MCP) deep links to enable local command execution or allow installation of a malicious remote MCP server. The attack takes advantage of the fact that MCP servers commonly specify a command in their "mcp.json" configuration. "The cursor:// protocol handler could be abused through social engineering in specific configurations," the company said. "A single click followed by user acceptance of an install prompt could result in arbitrary command execution. The technique could be leveraged both for local code execution via the command parameter or to install a malicious remote MCP server via the URL parameter." The enterprise security firm has also released a proof-of-concept (PoC) exploit on GitHub. Mass exploitation hits Citrix flaws New Campaign Targets Citrix Flaws A new campaign is actively targeting known security flaws in Citrix NetScaler (CVE-2025-5777 and CVE-2023-4966). According to Defused Cyber, more than 500 exploit attempts have been recorded against its honeypot system on March 16, 2026. "Highly elevated exploit activity against older vulnerabilities can often precede a zero-day vulnerability," it said. Teams phishing grants remote access Spike in Phishing Campaigns Impersonating IT Staff Rapid7 said it's seeing an increase in phishing campaigns where threat actors impersonate internal IT departments via Microsoft Teams. "The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network," it added. "The recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter." ClickFix delivers AutoHotKey backdoor ClickFix Attack Leads to AutoHotKey Backdoor A new ClickFix-style campaign has compromised a Pakistani government website ("wasafaisalabad.gop[.]pk") to deliver fake CAPTCHA lures. The attack chain installs an MSI installer via a disguised clipboard command, which drops an AutoHotKey-based backdoor polling a remote server for tasks, Gen Digital said. It's currently not known how the website was breached. The social engineering tactic has proved so effective that even nation-state groups such as North Korea's Lazarus group, Iran's MuddyWater, and Russia’s APT28 have adopted it. In January, researchers from Sekoia reported that a separate ClickFix framework dubbed IClickFix had been injected into over 3,800 WordPress sites since 2024. Stealer upgrade spreads via pirated games Updated Version of ACRStealer Spotted The malware loader known as Hijack Loader is being used to deliver an updated version of an information stealer referred to as ACRStealer. "This updated variant follows similar evasion techniques and C2 initialization strategy to make it even stealthier," G DATA said. "This integration with HijackLoader highlights ACRStealer's versatility and modularity, which will likely attract more malicious actors to use it as a final payload." In these campaigns, Hijack Loader is downloaded from the domain associated with PiviGames, a Spanish portal hosting pirated PC games. The development comes against the backdrop of another campaign that involved several cases of malware being distributed through PiviGames. Live chat phishing steals sensitive data Phishing Campaign Abuses LiveChat A new phishing campaign has been observed using LiveChat, a customer service software featuring live messaging, to steal data. Phishing emails using refund

Indicators of Compromise

• cve — CVE-2024-55591
• cve — CVE-2025-71257
• cve — CVE-2025-71258
• cve — CVE-2025-71259
• cve — CVE-2025-71260
• cve — CVE-2025-5777
• cve — CVE-2023-4966
• malware — SnappyClient
• malware — Hijack Loader
• malware — The Gentlemen