Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts

The sophisticated threat actors, a briefly misconfigured directory on infrastructure associated with the KeyPlug malware provided an unprecedented view into the adversary’s toolkit and workflow.

The staging server, active for less than 24 hours, exposed a collection of advanced scripts and utilities targeting Fortinet firewalls and VPN solutions, alongside reconnaissance and post-exploitation payloads.

This infrastructure has been tied to the RedGolf threat group, widely overlapped with activity ascribed to APT41, a known Chinese cyber-espionage cluster.

Infrastructure Discovery and Attribution

The exposed server, pinpointed at IP 154.31.217[.]200:443, was identified and publicized by a threat researcher on X (formerly Twitter), with evidence linking it via TLS certificate reuse to other Vultr-hosted staging systems.

Notably, this infrastructure surfaced several times within one day, reflecting observed behavior in RedGolf-linked operations.

The certificate details and server behaviors highlighted a coordinated campaign making heavy use of temporary, rapidly redeployed hosts.

A major focus of the recovered toolset was reconnaissance and enumeration of enterprise authentication portals.

The staging server housed files such as alive_urls_20250305_090959.txt and script.py, which actively scanned login, development, and identity management surfaces with targets including domains belonging to a major Japanese multinational, Shiseido.

Notably, the actors used CDN fingerprinting to isolate origin-facing assets, potentially exposing systems not protected by edge mitigation services.

Fortinet Exploitation Toolkit

Multiple bespoke scripts for Fortinet technology exploitation were found.

The reconnaissance script (1.py) automated scans for Fortinet SSL VPN portals, extracting version-specific JavaScript hashes to fingerprint appliance versions and flag vulnerable systems.

Further, files such as ws_test.py implemented exploitation of WebSocket-based CLI vulnerabilities (CVE-2024-23108 and CVE-2024-23109), automating privileged command execution on FortiOS devices through crafted unauthenticated requests.

The exposed directory also included several post-access tools, notably a sophisticated PHP-based webshell (bx.php) using AES and XOR encryption to evade detection while enabling remote command execution directly from encrypted POST payloads.

For session management and persistence, a PowerShell reverse shell (client.ps1) and an ELF-based HTTP listener (Server) were present, each using encryption for communication and supporting interactive operator control.

According to the Hunt Report, this brief period of exposure yielded a rare, comprehensive picture of attack preparation, including reconnaissance, exploitation, and remote access maintenance stages.

It underscores the operational tempo and segmentation of modern nation-state-aligned adversaries, as well as the ongoing targeting of VPN and firewall appliances.

The highly transient nature of the infrastructure a tactic to avoid detection complicates defense, highlighting the necessity for continual monitoring of external service footprints, rapid patching, and log analysis focused on webshell indicators and anomalous authentication attempts.

This exposure offers security teams actionable intelligence for detection and immediate defensive posture adjustments, particularly for organizations leveraging Fortinet security appliances and with a global online presence.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates