Fortinet Patch Bypasses, GootLoader Evasion, and AI Prompt Injection

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Perimeter and Cloud Defenses Crumble Under Configuration Gaps

The “front door” of the enterprise is under siege, both from failed patches and the exposure of intentionally vulnerable assets.

• Fortinet FortiGate SSO Bypass (CVE-2025-59718) — A critical situation has emerged where fully patched FortiGate firewalls are being compromised. Attackers are bypassing the patch for CVE-2025-59718 via FortiCloud SSO, creating admin accounts (e.g., secadmin) and stealing configurations. This confirms that even up-to-date firmware is currently vulnerable if SSO is enabled.

• Weaponization of Cloud Security Testing Apps — Threat actors are scanning for and exploiting intentionally vulnerable applications (like DVWA and OWASP Juice Shop) left exposed in Fortune 500 cloud environments. Using default credentials and privileged IAM roles attached to these training tools, attackers are deploying crypto miners and webshells, effectively turning security training assets into high-risk entry points.

2. Evasion Techniques Defeat Static Analysis

Malware developers are refining delivery mechanisms to bypass gateway scanners and EDR, leveraging structural manipulation and trusted binaries.

• GootLoader’s Malformed ZIP Archives — The GootLoader gang is now delivering payloads inside ZIP files constructed from hundreds of concatenated archives with truncated headers. While this structural corruption causes automated security scanners (and tools like 7-Zip) to fail, the native Windows ZIP extractor ignores the errors, allowing the victim to unknowingly extract and execute the JavaScript payload.

• Qilin Ransomware via PDFSider DLL Side-Loading — In a sophisticated “living-off-the-land” attack, the Qilin ransomware group is using a new backdoor, PDFSider. It leverages a legitimate, digitally signed PDF24 executable to side-load a malicious DLL (cryptbase.dll), allowing the malware to execute in memory with the trust context of a signed application, bypassing standard EDR controls.

3. Emerging Frontiers: AI Exploitation and Major Breaches

New attack surfaces in AI are being proven in the wild, while traditional ransomware continues to claim high-profile victims.

• Gemini AI Indirect Prompt Injection — A new exploit vector demonstrates how attackers can embed malicious natural-language prompts inside Google Calendar invites. When a user asks Gemini to summarize their schedule, the AI processes the hidden prompt and creates new events or leaks data without user approval, proving that “read-only” AI contexts can be manipulated into performing actions.

• Everest Ransomware Claims McDonald’s India — The Everest ransomware group has claimed the theft of 861 GB of data from McDonald’s India. The leak allegedly includes financial reports, ERP migration data, and store-level operational details. The breach highlights the persistent risk of double-extortion tactics targeting large-scale retail operations.

Proactive Steps for the Week 

• Emergency Fortinet Action: Do not rely solely on firmware patches. Immediately disable FortiCloud SSO administrative login and restrict access via local-in policies until a comprehensive fix for the bypass is confirmed.
• Block “Script-from-ZIP” Execution: Update Group Policy to prevent the automatic execution of .js files via wscript.exe, specifically those originating from compressed archives, to neutralize GootLoader.
• Sanitize Cloud Testing Environments: Conduct an immediate inventory of cloud assets to identify and decommission exposed training applications (DVWA, Juice Shop) or isolate them strictly from production IAM roles.
• Harden “Side-Loading” Targets: Implement AppLocker or WDAC rules to restrict unsigned DLLs from loading into signed processes, specifically monitoring for anomalies involving PDF24 or Quick Assist.
• Treat AI Inputs as Untrusted: Review enterprise AI settings to ensure “Human-in-the-loop” approval is required for sensitive actions (like calendar modifications) and educate users on the risks of AI summarizing external content.
• Verify Supply Chain Integrity: In light of the McDonald’s India claim, organizations with shared supply chains should verify the security posture of regional subsidiaries and third-party vendors.