KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
Essential information
- Published
- 17/04/2025 21:19
- Modified
- 18/04/2025 14:16
- Tags
- 2025-04-17 CVE-2024-23108 CVE-2024-23109 fortinet keyplug
- Related entities
- 2 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 2 others
Description
A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.