A recent investigation by the Hunt Research Team has uncovered a disturbing trend in cyber operations: open directories on misconfigured servers, inadvertently left accessible to the public, are actively being used by threat actors to store and distribute hacker tools and malicious scripts.
This exposure has facilitated sophisticated attacks against critical organizations, most notably the Taiwanese Freeway Bureau and several government-related entities.
The Hunt team’s discovery originated from a publicly reachable web server in Taiwan (IP: 103.98.73_189:8080), found operating with a Python-based HTTP service.
While its exposure was brief, a forensic sweep utilizing Hunt’s Open Directory Search revealed a trove of offensive cybersecurity tools and scripts.
Among the arsenal were open-source utilities such as Nmap (for port scanning), SQLMap (for automated SQL injection discovery), and the notorious BlueShell backdoor malware, all readily downloadable from the exposed file structure.
Technical Breakdown of Exposed Toolkit
Logs retrieved from the server indicate SQLMap was actively used to probe a legitimate Taiwanese government subdomain for SQL injection vulnerabilities, with operational evidence contained within files like session.sqlite and target.txt.
The command sets and attack vectors were preserved in these files, demonstrating the actor’s methodical approach.
Additionally, Nmap scan outputs showed reconnaissance efforts across a /26 subnet of a regional data center, revealing wide exposure of sensitive network mapping data.
The investigation further exposed a folder dubbed configrc5, filled with bash scripts one notably labeled simply “a” that identified processor models (AMD Zen, Intel) and adjusted performance parameters via MSR (Model-Specific Register) values.
Such precision scripting signals a technically adept adversary likely familiar with the infrastructure of their targets.
Golang binaries (bsServer-0530, bsServerfinal) embedded in the same directory called upon an included server.pem certificate, which analysis matched exactly with BlueShell’s publicly available backdoor.
This direct match links the toolkit in the directory to robust remote access malware capable of persistent control.
Open Directory Analysis Extends Beyond Taiwan
Using Hunt’s platform, a wider sweep detected at least 55 open directories referencing “gov.tw,” highlighting a broad, persistent campaign targeting Taiwanese governmental infrastructure.
One specific server (IP: 156.251.172_194) had also been flagged in an EclecticIQ threat intelligence report for hosting Cobalt Strike payloads aimed at Taiwan’s critical infrastructure.
Parallel investigations found open directories with offensive toolkits targeting not only Taiwan but also governmental sites in Cambodia, Paraguay, and organizational targets such as the Taiwan-Asia Exchange Foundation (TAEF).
In these cases, attackers leveraged scripts for subdomain enumeration and vulnerability scans (e.g., using OneForAll, Afrog), along with exploit frameworks like Brute Ratel C4 and ProxyShell.
Evidence from these misconfigured servers demonstrates the attackers’ systematic collection and staging of reconnaissance and attack tools, often accompanied by commented code in Chinese, suggesting the possible geographic origin or language preference of the operators.
The toolkit diversity and target range indicate a low-cost, high-yield attack profile made possible by technical missteps in server administration.
The findings present a clear call for organizations to rigorously audit their web-facing infrastructure and ensure the closure of open directories, which remain a perennial weak link in contemporary cybersecurity.
The use of automated monitoring tools, such as Hunt’s Open Directory Search, is becoming vital for early detection and mitigation of such exposures, not only to protect sensitive targets but also to prevent the recycling of infrastructure for global cyber offensives.
Indicators of Compromise (IOC)
| IP Address | Notes |
|---|---|
| 103.98.73_189:8080 | Initial open directory (Taiwan Freeway Bureau) |
| 202.182.105_104:80 | Exposed server, scan data on Cambodia, Taiwan, Paraguay |
| 35.229.211_35:8080 | Open directory with Python automation and scan scripts |
| 45.8.146_29:80 | Server with Brute Ratel C4, OneForAll, multiple toolkits |
| 156.251.172_194 | Server linked to Cobalt Strike Cat attacks, EclecticIQ repo |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
