216.73.217.64

KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company

· Published 17/04/2025 21:19 · Modified 18/04/2025 14:16

Export JSON

Essential information

Published
17/04/2025 21:19
Modified
18/04/2025 14:16
Tags
2025-04-17 CVE-2024-23108 CVE-2024-23109 fortinet keyplug
Related entities
2 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 2 others

Description

A server linked to malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.

External references