S1105: COATHANGER
COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[1]
Analyst context for executives and security teams
COATHANGER matters because it is a remote access tool aimed at FortiGate network appliances, which often sit at critical trust boundaries for remote access, segmentation, and security enforcement. A compromised appliance can become both a persistence point and a blind spot if SOC logging, firmware integrity checks, and network-device incident response procedures are weaker than endpoint coverage.
Executive priority
Treat this as a resilience and control-validation issue for exposed network security appliances. Leaders should ask whether FortiGate assets are inventoried, patched against relevant exposure such as CVE-2022-42475 where applicable, centrally logged, and covered by incident response playbooks. Because ATT&CK provides no official detection guidance for this object, assurance should come from evidence: asset ownership, patch status, administrative access review, appliance telemetry retention, and tested response procedures for network devices.
Technical view
MITRE describes COATHANGER as a RAT targeting FortiGate networking appliances, delivered after access to a FortiGate device, with observations linked to CVE-2022-42475. Relationship context shows behaviors defenders should validate around stealth, discovery, execution, persistence, and command-and-control: rootkit-like hiding, obfuscation and packing, process injection, Unix shell execution, process and file discovery, file deletion, hidden files, Linux/Mac permission changes, web and non-application-layer C2, asymmetric cryptography, and execution-flow or dynamic-linker hijacking. SOC and IR teams should avoid assuming endpoint-style controls cover these appliances and should confirm what FortiGate and surrounding network telemetry is actually available.
Likely telemetry
- FortiGate asset inventory, firmware/software version, and exposure records
- Vulnerability and patch evidence for CVE-2022-42475 where relevant
- Administrative login, configuration change, and management-plane access logs
- System/process information available from the appliance or vendor-supported diagnostics
- File integrity or configuration backup comparisons, including unexpected encrypted, hidden, deleted, or permission-modified files
Detection direction
- Start with coverage validation: determine whether appliance logs, management-plane events, network egress, and configuration changes are collected and retained long enough for investigation.
- Hunt for relationship-driven patterns rather than a single signature: suspicious shell execution, process discovery, file and directory enumeration, file deletion, hidden artifacts, permission changes, and unexpected execution-flow behavior on Linux-like appliance environments.
- Review FortiGate-originated outbound traffic for unusual web-protocol use, non-application-layer communication, and encrypted sessions inconsistent with expected appliance behavior.
- Correlate any evidence of exploitation of public-facing services with later stealth and C2 behaviors, especially where CVE-2022-42475 exposure existed.
- Tune carefully for administrator activity and maintenance windows; many appliance operations can resemble discovery or configuration changes without being malicious.
Mitigation priorities
- Maintain a complete inventory of FortiGate devices, including internet exposure, firmware/software versions, ownership, and logging status.
- Prioritize remediation of relevant public-facing appliance vulnerabilities, including CVE-2022-42475 where applicable to the environment.
- Restrict and monitor management-plane access; review privileged administrative accounts and configuration-change paths.
- Centralize appliance logs and network telemetry so FortiGate devices are not excluded from SOC monitoring and incident response evidence collection.
- Use configuration backups and approved baseline comparisons to support detection of unauthorized changes, hidden artifacts, or integrity concerns.
Analyst notes and limits
The strongest decision value is not the malware name alone, but the control gap it exposes: many organizations have mature endpoint detection but weaker visibility on network appliances. COATHANGER’s mapped techniques emphasize stealth, C2, discovery, and execution behaviors that require telemetry from both the appliance and the surrounding network. The official description also notes targeted intrusions against military and government entities in the Netherlands and other victims, and a high-confidence assessment linking the malware to a PRC state-sponsored entity, sourced to the NCSC-NL advisory.
ATT&CK does not provide official detection guidance for this software object, and the object has no ATT&CK tactics listed directly. The guidance above is derived only from the official description, external references, platforms, and supplied technique relationships. Local applicability depends on whether the organization uses FortiGate devices, whether relevant CVE exposure existed, and what appliance and network telemetry is retained.
COATHANGER
COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | COATHANGER removes files from victim environments following use in multiple instances.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | COATHANGER uses ICMP for transmitting configuration information to and from its command and control server.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1057 | Process Discovery | COATHANGER will query running process information to determine subsequent program execution flow.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | COATHANGER will create a daemon for timed check-ins with command and control infrastructure.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1055 | Process Injection | COATHANGER includes a binary labeled `authd` that can inject a library into a running process and then hook an existing function within that process with a new function from that library.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | COATHANGER provides a BusyBox reverse shell for command and control.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1190 | Exploit Public-Facing Application | COATHANGER is installed following exploitation of a vulnerable FortiGate device. CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | COATHANGER will set the GID of `httpsd` to 90 when infected.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1083 | File and Directory Discovery | COATHANGER will survey the contents of system files during installation.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1014 | Rootkit | COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | COATHANGER copies the malicious file |
| Enterprise | T1027.002 | Software Packing Sub-technique | The first stage of COATHANGER is delivered as a packed file.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | COATHANGER connects to command and control infrastructure using SSL.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1574 | Hijack Execution Flow | COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as `read(2)`.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | COATHANGER decodes configuration items from a bundled file for command and control activity.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | COATHANGER creates and installs itself to a hidden installation directory.CitationNCSC-NL COATHANGER Feb 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | COATHANGER can store obfuscated configuration information in the last 56 bytes of the file `/date/.bd.key/preload.so`.CitationNCSC-NL COATHANGER Feb 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f8843ffffdff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NCSC-NL COATHANGER Feb 2024
Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
Open source URL -
[2]
mitre-attack S1105Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.