RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed

A fleeting but exposure of attacker infrastructure tied to the notorious KeyPlug malware has provided cybersecurity researchers with an unprecedented look into the operational playbook of the RedGolf threat group, believed to overlap with APT41.

For less than 24 hours, a misconfigured directory on a Vultr-hosted server revealed a suite of exploit scripts, reconnaissance tools, and post-exploitation payloads—many targeting Fortinet firewalls and VPNs, and authentication portals linked to a major Japanese company.

Technical Arsenal Exposed

1. Fortinet Exploit and Reconnaissance Scripts

Among the most notable finds was 1.py, a Python script crafted to automate reconnaissance against Fortinet VPN and firewall appliances.

This script targets endpoints such as /remote/login /login, extracting version-specific JavaScript hash values from the login portal to fingerprint the FortiOS version.

This intelligence enables attackers to tailor exploits to known vulnerabilities.

pythonscript_tag = soup.select_one("script[src^='/sslvpn/js/login.js']")
Hash = script_tag['src'].split('=')[1]

2. Automated WebSocket Exploitation

The ws_test.py Script automates exploitation of Fortinet’s WebSocket-based CLI endpoints, leveraging techniques associated with CVE-2024-23108 and CVE-2024-23109.

By spoofing local traffic with a Forwarded header, the script bypasses authentication and executes privileged commands:

pythonheaders = {'Forwarded': 'for=127.0.0.1; by=127.0.0.1;', 'User-Agent': 'Node.js'}
ws.send(payload + '\n')

3. PHP Webshell for Stealthy Remote Access

The bx.php Webshell accepts AES-128-encrypted payloads via HTTP POST, decrypts them in memory, and executes commands dynamically. This approach minimizes on-disk artifacts and leverages obfuscation to evade detection:

php@error_reporting(0);
$p = '|||||||||||'^chr(12); // resolves to 'php://input'

4. PowerShell and Linux Reverse Shells

A custom PowerShell script (client.ps1) establishes a reverse shell over TCP, encrypting all traffic with AES-128 in ECB mode.

The implant supports persistent connections and heartbeat checks to maintain control over compromised hosts.

Targeted Reconnaissance

Files such as alive_urls_20250305_090959.txt non_cdn_ips_20250305_090959.txt catalogued nearly 100 domains tied to Shiseido, a leading Japanese cosmetics company.

These included Okta and Keycloak authentication portals, staging environments, and internal dashboards, indicating a focus on high-value authentication surfaces.

CDN Fingerprinting Script

The script.py The tool checked whether domains were protected by a Content Delivery Network (CDN) by analyzing HTTP response headers, isolating assets directly exposed to the internet for targeted exploitation.

Indicators of Compromise (IOCs)

This rare glimpse into attacker-side infrastructure highlights the sophistication and agility of contemporary threat actors.

The exposed toolkit demonstrates a methodical approach: reconnaissance, identification of unprotected assets, exploitation of known vulnerabilities, and stealthy post-access operations.

For defenders, the incident underscores the necessity of continuous monitoring, rapid patching of exposed services, and vigilant analysis of authentication and VPN endpoints for anomalous activity.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates