{ "id": "c440a2c9-d007-4f13-99ff-a44fec799504", "created_at": "2026-04-06T00:21:13.817097Z", "updated_at": "2026-04-10T03:32:21.395663Z", "deleted_at": null, "sha1_hash": "23750ed0b9492ef2c5fa5cb71259345e71bbf2e0", "title": "KeyPlug Server Exposes Fortinet Exploits \u0026 Webshell Activity Targeting a Major Japanese Company", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 23794377, "plain_text": "KeyPlug Server Exposes Fortinet Exploits \u0026 Webshell Activity\r\nTargeting a Major Japanese Company\r\nPublished: 2025-04-17 · Archived: 2026-04-05 17:57:21 UTC\r\nA briefly exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active\r\noperations. The server, live for less than a day, exposed Fortinet firewall and VPN-targeting exploit scripts, a PHP-based webshell, and network reconnaissance scripts targeting authentication and internal portals associated with a\r\nmajor Japanese company. While short-lived, the exposure provides an unfettered view into a likely advanced\r\nadversary's operational staging and planning.\r\nKey Points:\r\nFortinet firewall and VPN exploit scripts were exposed on the infrastructure linked to KeyPlug malware\r\nactivity.\r\nA PHP-based webshell capable of AES and XOR-decrypted payload execution was included.\r\nNetwork reconnaissance scripts targeted login, development, and identity portals associated with a major\r\nJapanese company.\r\nThe server was live for less than 24 hours, emphasizing the need to monitor for short-lived operational\r\ninfrastructure.\r\nWhen Staging Infrastructure Slips Into View\r\nA recent post on X by @Jane_0sint highlighted IP/port 154.31.217[.]200:443 , a server attributed to the\r\nRedGolf threat group, which overlaps with APT41. Included in the post were a malicious ELF sample (SHA-256:\r\n53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45 ) exhibiting backdoor functionality, and\r\nnoted that the server appeared intermittently throughout the day, behavior we've consistently observed across\r\nRedGolf-linked infrastructure.\r\nThis IP had already been under long-term monitoring as part of our broader research into KeyPlug infrastructure,\r\nwhich we've previously linked through TLS certificate reuse. Querying 154.31.217[.]200 in Hunt.io revealed it\r\nshared a WolfSSL-issued TLS certificate with five additional servers.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 1 of 15\n\nFigure 1: Quick pivot point in Hunt.io for shared certificates.\r\nAmong them, 45.77.34[.]88 stood out. Port 80 presented a Python 3.12.4 SimpleHTTP/0.6 header, first\r\nobserved in early March - a detail that typically indicates a temporary or persistent file staging server.\r\nCertificate Details\r\nSubject Common Name: www[.]wolfssl[.]com\r\nSubject Organizational Unit: Support_1024\r\nIssuer Organizational Unit: Consulting_1024\r\nSHA-256 Fingerprint: 4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 2 of 15\n\nFigure 2: Screenshot of IP overview in Hunt showing the Python SimpleHTTP server on port 80.\r\nAttempts to visit the directory directly were unsuccessful, suggesting the misconfiguration had been noticed and\r\ncorrected. However, within Hunt.io, the AttackCapture™ module had already indexed the server during its brief\r\nexposure, preserving a snapshot of its contents.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 3 of 15\n\nFigure 3: Snippet of the files downloaded in AttackCapture™ from the exposed server.\r\nFile Analysis\r\nThe brief exposure of 45.77.34[.]88 provided a clear look at the tooling likely used in both reconnaissance and\r\noperational staging. Several files point to infrastructure fingerprinting efforts, Fortinet-targeting activity, post-access payloads, and output from earlier scanning phases.\r\nWhile some are directly relevant to defenders from a detection standpoint, they also reflect the workflow,\r\nplanning, and targeting priorities of the operator behind the infrastructure. What follows is a breakdown of the\r\nmost notable files recovered during the exposure, with an emphasis on their function and potential impact.\r\nReconnaissance Output Targeting Shiseido Enterprise Infrastructure\r\nThe open directory contained a file named alive_urls_20250305_090959.txt within an awvs/ folder, alongside\r\na copy of fscan-a publicly available tool used for port scanning and service enumeration. The file lists close to one\r\nhundred Shiseido domains, many of which point to login portals, development environments, internal dashboards,\r\nand third-party identity providers.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 4 of 15\n\nFigure 4: Snippet of the Shiseido-related domains targeted by the actor.\r\nA second file, non_cdn_ips_20250305_090959.txt , appears to correlate those domains with origin IPs not\r\nshielded by CDNs-likely an effort to surface infrastructure directly reachable for follow-on targeting. The\r\npresence of script.py, a CDN fingerprinting tool discussed in the next section, reinforces this behavior.\r\nShiseido began as a Japanese pharmacy and has since grown into a major international cosmetics company with\r\noperations spanning 120 countries and regions. The file included domains hosted in Singapore and across Europe,\r\nincluding Okta and Keycloak portals, staging environments, and data protection services. This suggests a focus on\r\nauthentication surfaces and internal systems potentially tied to employee access, compliance workflows, and\r\nbroader enterprise operations.\r\nscript.py - CDN Fingerprinter\r\nThis script performs live URL checks and determines whether assets are protected by a content delivery network\r\n(CDN) or directly exposed to the internet. It checks each domain over HTTPS and HTTP, collects server response\r\nheaders, and flags domains that lack common CDN indicators such as CF-RAY , X-Amz-Cf-Id , or Akamai-Cache-Status .\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 5 of 15\n\nFigure 5: Snippet of the Python code from script.py in Attack Capture.\r\nThe script outputs two files:\r\nalive_urls_*.txt : confirms which domains responded successfully\r\nnon_cdn_ips_*.txt : isolates assets believed to be origin-facing\r\nThe absence of CDN-related headers doesn't guarantee direct access, but the logic reflects a tactic to identify\r\ninfrastructure with fewer visibility or mitigation layers. This script likely served as a filtering stage to surface\r\nhigh-value targets not fronted by edge protections.\r\n1.py - Fortinet Reconnaissance Script\r\nDiscovered in the for/ directory alongside GeoLite2-Country.mmdb and multiple text output files, 1.py is\r\ndesigned to perform targeted reconnaissance against Fortinet VPN and firewall appliances. Its primary function is\r\nto identify live Fortinet login portals and extract version-specific JavaScript hash values, which can be used to\r\nfingerprint appliances and determine exploit compatibility.\r\nAt its core, the script automates requests to two key Fortinet login paths- /remote/login and /login -and\r\nparses each response to locate a login.js script URL containing a version-specific hash. That hash is then logged\r\nalong with the domain and resolved country.\r\nThe following logic is used to extract the hash from the FortiClient portal:\r\nscript_tag = soup.select_one(\"script[src^='/sslvpn/js/login.js']\")\r\nHash = script_tag['src'].split('=')[1]\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 6 of 15\n\nCopy\r\nThe hash value embedded in the login.js path typically varies across FortiOS versions and can be used to infer\r\nthe software build in use. Identifying these values allows operators to align follow-on actions with known\r\nvulnerable versions or platform-specific behavior.\r\nThe extracted data is then written to 1.txt or 2.txt depending on which endpoint responded, and enriched\r\nwith country-level metadata:\r\nwith geoip2.database.Reader('GeoLite2-Country.mmdb') as reader:\r\nresponse = reader.country(ip)\r\nip_check = response.country.names['zh-CN']\r\n \r\nCopy\r\nThe User-Agent string is statically set to a realistic browser profile, likely to avoid automated blocking or\r\nreputation filters:\r\nMozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\r\n \r\nCopy\r\nDefender Note:\r\nEnsure Fortinet SSL VPN interfaces are patched and running supported versions, particularly if exposed to the\r\ninternet. Monitor for automated access to /remote/login and /login endpoints across multiple assets or over short\r\nintervals. Look for repeated requests to these paths that use consistent User-Agent strings and do not proceed to\r\nfull authentication flows.\r\nws_test.py - Automated Exploitation of Fortinet WebSocket CLI Access\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 7 of 15\n\nThis script-and its variants test.py and ws_tests.py -automates exploitation of Fortinet's WebSocket-based\r\nCLI endpoints. The code in ws_test.py closely mirrors public exploitation techniques for CVE-2024-23108 and\r\nCVE-2024-23109, originally documented by WatchTowr, which abuse unauthenticated WebSocket endpoints in\r\nFortiOS to execute privileged CLI commands.\r\nTo bypass access control, the code spoofs local traffic using a hardcoded header:\r\nheaders = {'Forwarded': 'for=127.0.0.1; by=127.0.0.1;', 'User-Agent': 'Node.js'}\r\n \r\nCopy\r\nThe script targets /ws/cli/open and /ws/newcli/open across FortiOS versions 7.0.0 to 7.0.15, crafting\r\nrequests that simulate local access and bypass authentication. Depending on the version, it adjusts the WebSocket\r\npath and token parameters accordingly:\r\nif 7002 \u003c= version \u003c= 7015:\r\nurl = \"wss://{0}:{1}/ws/cli/open?cols=154\u0026rows=13\u0026local_access_token=1112\"\r\nelif 7000 \u003c= version \u003c= 7001:\r\nurl = \"wss://{0}:{1}/ws/newcli/open?cols=154\u0026rows=13\u0026access_token=1\"\r\n \r\nCopy\r\nOnce connected, it immediately sends a payload mimicking multiple administrative usernames and spoofed IP\r\naddresses:\r\npayload = '\"admin\" \"admin\" \"root\" \"super_admin\" \"root\" \"none\" [1.1.1.1]:1 [2.2.2.2]:2'\r\nws.send(payload + '\\n')\r\n \r\nCopy\r\nThe logic then issues CLI commands such as show full-configuration or custom sequences to retrieve admin\r\naccount details, escalate privileges, or reset passwords-all without any authentication.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 8 of 15\n\nIn addition to the great research conducted by WatchTowr, defenders should also:\r\nLook for WebSocket handshake requests to /ws/cli/open and /ws/newcli/open in historical proxy and\r\nfirewall logs.\r\nRepeated submission of crafted identity strings such as \" admin \", \" root \", and \" super_admin .\"\r\nbx.php - Encrypted POST-Based Webshell for Remote Command Execution\r\nThe bx.php script is a compact PHP webshell designed to receive encrypted command payloads over HTTP POST,\r\ndecrypt them in memory, and execute them dynamically. It uses obfuscation, runtime encryption, and minimal on-disk behavior to support quiet remote access operations.\r\nAt the top of the script, all PHP errors are suppressed using:\r\n@error_reporting(0);\r\n \r\nCopy\r\nThis ensures that decryption or execution failures won't produce visible output or leave artifacts in logs-an\r\nintentional OPSEC measure to reduce noise during live operations.\r\nThe payload source is obfuscated using a XOR-based routine:\r\n$p = '|||||||||||'^chr(12)... // resolves to 'php://input'\r\n \r\nCopy\r\nThe script reads encrypted data from the POST body and decrypts it using AES-128 with a hardcoded key (\r\na75d6a841eafd550 ). If OpenSSL is not available, it falls back to a custom XOR and base64-based routine. The\r\ndecrypted result is split into function and parameter components and executed using eval() through a class-based\r\n__invoke() method.\r\nBy using AES-128 to obfuscate payloads and evaluating them only in memory, bx.php avoids leaving readable\r\ncommand content on disk or in logs. It does not rely on URL parameters or named POST fields to pass\r\ncommands, instead reading encrypted payloads directly from the raw HTTP POST body.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 9 of 15\n\nFigure 6: bx.php script contents.\r\nclient.ps1 - PowerShell Reverse Shell Over TCP\r\nLocated in the root of the open directory, client.ps1 is a custom reverse shell written in PowerShell that\r\nconnects to 45.77.34[.]88 over TCP port 8080 . It uses AES-128 in ECB mode to encrypt all tasking and\r\nresponses, operating entirely over raw TCP instead of HTTP/S.\r\nUpon connection, the script authenticates using a static key and waits for a cmd_mode flag before entering its\r\nmain loop. It decrypts incoming commands in memory, executes them using Invoke-Expression, and encrypts the\r\noutput before returning it over the same socket.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 10 of 15\n\nFigure 7: AES encrypt/decrypt routines using ECB mode and static key.\r\nIn addition to normal tasking, the implant supports PING and HEARTBEAT messages, replying with encrypted\r\nPONG and HEARTBEAT_ACK responses to maintain continuity with the controller. These checks help the operator\r\nverify session stability and responsiveness.\r\nFigure 8: PING/PONG and HEARTBEAT response logic in the tasking loop.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 11 of 15\n\nIf the connection drops, the implant enters a 30-minute sleep before retrying, allowing it to persist quietly over\r\ntime without creating noisy, repeated connection attempts.\r\nServer - HTTP-Based Listener\r\nThe final file in the directory is an ELF binary named Server , which opens an HTTP listener on port 8080 and\r\naccepts basic operator commands. While its interface is minimal, the tool functions as a session controller,\r\nenabling the operator to list available connections ( sessions ) or interact with one directly ( use \u003cid\u003e ).\r\nFigure 9: Sample output running the Server program in a lab environment.\r\nUnauthenticated requests to the listener return a 200 OK status and the string Authentication Failed , indicating\r\nthe binary expects a specific key or handshake during initial interaction.\r\nA companion file, command_history.txt , captures interactive use of the binary-showing several mistyped\r\ncommands and references to a PowerShell script ( helps.ps1 ) likely uploaded to a victim system.\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 12 of 15\n\nFigure 10: Snippet of command history linked to the Linux-based 'Server.'\r\nWith Server completing the toolset, the exposed directory presents a rare view into attacker-side operations: from\r\ninfrastructure reconnaissance, to exploitation tooling, to post-access session management. In the next section, we\r\noutline key takeaways and surface observables to support immediate detection.\r\nFinal thoughts\r\nOperators rarely leave behind the logic of their work. Yet for a brief moment, a server-likely linked to KeyPlug\r\ninfrastructure associated with RedGolf/APT41-surfaced more than just tooling. It captured the cadence of an\r\noperation: scanning, filtering, staging, and tasking, all mapped through working scripts and live output.\r\nThere's no single takeaway; just an uncommon opportunity to see how access is prepared, how tasks are\r\norganized, and how infrastructure supports the quiet work between initial entry and longer-term objectives. For\r\ndefenders, these glimpses are rare-but often the most revealing.\r\nRedGolf Open Directory Network Observables and Indicators of Compromise (IOCs)\r\nIP Address Domain(s) Hosting Company Location\r\n154.31.217[.]200 N/A V Holdings, LLC JP\r\n45.32.21[.]176 N/A V Holdings, LLC JP\r\n45.77.34[.]88 N/A V Holdings, LLC JP\r\n45.77.249[.]100 combinechina[.]com V Holdings, LLC JP\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 13 of 15\n\nIP Address Domain(s) Hosting Company Location\r\n66.42.55[.]203 N/A SGP_V_CUST SG\r\n108.160.129[.]175 N/A V Holdings, LLC JP\r\n185.82.219[.]201 combinechina[.]com GreenFloid LLC BG\r\nRedGolf Open Directory Host Observables and Indicators of Compromise (IOCs)\r\nFilename SHA-256 Hash Notes\r\nsystemed-dev\r\n53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45\r\nELF program\r\nposted by\r\n@Jane0sint\r\n1.py 09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95\r\nFortinet\r\nreconnaissance\r\nscript\r\nbx.php 7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50\r\nObfuscated\r\nwebshell\r\nclient.ps1 c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7\r\nPowerShell-based reverse\r\nshell over TCP\r\nclient_linux c1da6449513844277acc969aae853a502f177e92f98d37544f94a8987e6e2308\r\nLinux-based\r\nreverse shell\r\ncreatedump 468b1799fbda3097b345a59bc1fec1cbc2a015efa473b043a69765a987ad54ed\r\nLinux version\r\nof open-source\r\nproject,\r\nruntime\r\nlog 759246465014acaf3e75a575d6fe36720cfdbfe2eeac1893fe6d7a0474815552\r\nLinux logging\r\nprogram\r\npwsh 827b5d8ed210a85bf06214e500a955f5ad72bd0afd90127de727eb7d5d70187e\r\nPowerShell\r\nterminal\r\nscript.py 2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6\r\nCDN\r\nfingerprinting\r\nscript\r\nServer f21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3\r\nHTTP-based\r\nserver\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 14 of 15\n\nFilename SHA-256 Hash Notes\r\nws_test.py 98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d\r\nFortinet\r\nexploit code\r\nfscan e82ecbe3823046a27d8c39cc0a4acb498f415549946c9ff0e241838b34ed5a21\r\nOpen-source\r\nport scanner\r\nSource: https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nhttps://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells" ], "report_names": [ "keyplug-server-exposes-fortinet-exploits-webshells" ], "threat_actors": [ { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434873, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23750ed0b9492ef2c5fa5cb71259345e71bbf2e0.pdf", "text": "https://archive.orkl.eu/23750ed0b9492ef2c5fa5cb71259345e71bbf2e0.txt", "img": "https://archive.orkl.eu/23750ed0b9492ef2c5fa5cb71259345e71bbf2e0.jpg" } }