COATHANGER
COATHANGER is a custom remote access trojan (RAT) / backdoor designed to infect FortiGate network security appliances running FortiOS. It has been reported as deployed after exploitation of FortiOS SSL-VPN vulnerabilities, specifically CVE-2022-42475 and CVE-2023-27997, and was used to compromise a Dutch Ministry of Defence military network. Dutch intelligence services assessed with high confidence that the intrusion was conducted by a Chinese state-sponsored actor, and later reporting linked the activity to Volt Typhoon; Fortinet also described the COATHANGER cluster as having limited sightings and noted hallmarks similar to APT15. COATHANGER has been associated with cyber-espionage operations targeting government, service providers, consultancies, manufacturing, and critical infrastructure organizations.
The malware is notable for persistence and stealth on FortiGate devices. Dutch reporting states it can survive reboots and firmware upgrades by injecting a backup of itself into the process responsible for rebooting the system, effectively reinfecting the device during reboot. It also hides its presence by intercepting system calls. Fortinet reporting on the COATHANGER cluster describes components including authd, which can inject a library into a running process and hook an existing function with a replacement from that library; newcli, an injector; preload.so for persistence via reboot-hooking; httpsd for command-and-control and configuration read/write; liblog.so for log-related hooking; libpe.so as an unpacker; smartctl as a trojanized command executor; and a container packfile. The first stage is delivered as a packed file.
For command and control, COATHANGER connects to C2 infrastructure using SSL and also uses ICMP to transmit configuration information to and from its C2 server. Reported anti-forensic behavior includes removing files from victim environments following use. The malware was named COATHANGER by a CERT partner based on a string found in a sample. Dutch authorities warned that COATHANGER infections can remain difficult to identify and remove, and that even fully patched FortiGate devices may remain infected if compromise occurred before patching.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices... APT29 has exploited ... CVE-2018-13379 for FortiGate VPNs... Dragonfly ... exploited ... CVE-2018-13379 for Fortinet VPNs... Magic Hound ... exploited ... Fortios SSL VPNs (CVE-2018-13379). Play ... including CVE-2018-13379 ... in FortiOS.
Dutch authorities released a cybersecurity advisory about an attack against the Netherlands Ministry of Defence (MOD) in which attackers exploited CVE-2022-42475 against a Fortigate device to gain initial access and deploy malware known as "COATHANGER." ... The CSA notes ... exploitation of CVE-2022-42475 by Volt Typhoon against a vulnerable FortiGate 300D firewall that “was not patched.”
...the Chinese Volt Typhoon hacking group exploited two FortiOS vulnerabilities (tracked as CVE-2023-27997 and CVE-2022-42475) to deploy Coathanger remote access trojan malware...
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In February 2024, the service revealed that Chinese hackers had broken into a compartmentalized Dutch Ministry of Defence network by exploiting a FortiGate vulnerability, deploying malware the agencies named COATHANGER.
In February 2024, the service revealed that Chinese hackers had broken into a compartmentalized Dutch Ministry of Defence network by exploiting a FortiGate vulnerability, deploying malware the agencies named COATHANGER.
"...attackers exploited CVE-2022-42475 against a Fortigate device to gain initial access and deploy malware known as \"COATHANGER.\""
This sample contained an interesting string that led one of our CERT partners to name this cluster COATHANGER “She took his coat and hung it up.”
"a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances"
...a computer network used by the armed forces was infiltrated by Chinese state-sponsored actors by exploiting known flaws in Fortinet FortiGate devices to deliver a backdoor called COATHANGER.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueIn February 2024, the service revealed that Chinese hackers had broken into a compartmentalized Dutch Ministry of Defence network by exploiting a FortiGate vulnerability, deploying malware the agencies named COATHANGER.
Initial Access
1 techniqueThe report also sets out details about PLA hacking units that have not previously appeared in Western public intelligence reporting, stating that “multiple components within the same unit were even competing to find vulnerabilities in a particular type of edge device” in 2025.
Execution
4 techniquesFortinet disclosed in February that the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware.
Persistence
3 techniquesFortinet disclosed in February that the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware.
Privilege Escalation
4 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
Silence has injected a DLL library containing a Trojan into the fwmain32.exe process. WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation. COATHANGER includes a binary labeled authd that can inject a library into a running process and then hook an existing function within that process with a new function from that library.
Stealth
11 techniques"hiding itself by intercepting system calls to avoid revealing its presence."
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
Silence has injected a DLL library containing a Trojan into the fwmain32.exe process. WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation. COATHANGER includes a binary labeled authd that can inject a library into a running process and then hook an existing function within that process with a new function from that library.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
2 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Lateral Movement
1 technique"...a new critical remote code execution vulnerability in FortiOS SSL VPN..."
Command and Control
5 techniquesExamples include 'Drovorub ... initiated communication with C2 servers with an HTTP Upgrade request' and 'COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.' | The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
"a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances"
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Impact
1 technique"Moreover, the infection survives firmware upgrades" and "Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied."
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware implant/backdoor deployed after exploitation of a FortiGate vulnerability in a Chinese cyberespionage campaign. It was used to compromise Dutch Ministry of Defence networks and was later found on at least 20,000 FortiGate systems worldwide, with infections described as difficult to identify and remove.
Remote access trojan used to provide attackers with persistent remote control/access on compromised networks.
Custom remote access trojan (RAT) used to backdoor networks, providing persistent unauthorized access for threat actors.
Custom remote access trojan (RAT) used to backdoor networks, providing persistent remote access for threat actors.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.