COATHANGER
MITREOther
Unknown
Unknown
[COATHANGER](https://attack.mitre.org/software/S1105) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://attack.mitre.org/software/S1105) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://attack.mitre.org/software/S1105) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://attack.mitre.org/software/S1105) is based on a unique string in the malware used to encrypt configuration files on disk: <code>“She took his coat and hung it up”</code>.(Citation: NCSC-NL COATHANGER Feb 2024)
Associated Techniques (18)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1014 | Rootkit | - |
| T1027 | Obfuscated Files or Information | - |
| T1027.002 | Software Packing | - |
| T1055 | Process Injection | - |
| T1057 | Process Discovery | - |
| T1059.004 | Unix Shell | - |
| T1070.004 | File Deletion | - |
| T1071.001 | Web Protocols | - |
| T1083 | File and Directory Discovery | - |
| T1095 | Non-Application Layer Protocol | - |
| T1140 | Deobfuscate/Decode Files or Information | - |
| T1190 | Exploit Public-Facing Application | - |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | - |
| T1543.004 | Launch Daemon | - |
| T1564.001 | Hidden Files and Directories | - |
Metadata
| ID: | 46 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |