The DeepData malware framework, linked to the China-backed APT41, was observed exploiting a zero-day vulnerability in the Fortinet VPN client for Windows to steal credentials from process memory. DeepData uses plugins to exfiltrate sensitive data from browsers, communication apps, and password managers, and can also record audio through the system’s microphone. The vulnerability, reported in July but still unpatched, highlights the framework's focus on surveillance against journalists, politicians, and activists in Southeast Asia. DeepData shares similarities with LightSpy malware, including code, infrastructure, and development patterns, reinforcing its association with the BrazenBamboo threat group.