{
  "name": "KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company",
  "slug": "keyplug-linked-server-exposes-fortinet-exploits-webshell-activity-targeting-a-major-japanese-company",
  "description": "A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.",
  "published": "2025-04-17T19:19:58+00:00",
  "created_at": "2025-04-17T19:19:58+00:00",
  "modified_at": "2025-04-18T12:16:03+00:00",
  "created_at_opencti": "2025-04-17T19:19:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-17",
    "CVE-2024-23108",
    "CVE-2024-23109",
    "fortinet",
    "keyplug"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "154.31.217.200"
      },
      {
        "id": "",
        "name": "combinechina.com"
      },
      {
        "id": "",
        "name": "f21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3"
      },
      {
        "id": "",
        "name": "c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7"
      },
      {
        "id": "",
        "name": "c1da6449513844277acc969aae853a502f177e92f98d37544f94a8987e6e2308"
      },
      {
        "id": "",
        "name": "98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d"
      },
      {
        "id": "",
        "name": "827b5d8ed210a85bf06214e500a955f5ad72bd0afd90127de727eb7d5d70187e"
      },
      {
        "id": "",
        "name": "759246465014acaf3e75a575d6fe36720cfdbfe2eeac1893fe6d7a0474815552"
      },
      {
        "id": "",
        "name": "7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50"
      },
      {
        "id": "",
        "name": "53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45"
      },
      {
        "id": "",
        "name": "468b1799fbda3097b345a59bc1fec1cbc2a015efa473b043a69765a987ad54ed"
      },
      {
        "id": "",
        "name": "2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6"
      },
      {
        "id": "",
        "name": "09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95"
      },
      {
        "id": "",
        "name": "4c1baa3abb774b4c649c87417acaa4396eba40e5028b43fade4c685a405cc3bf"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:eaed3e88e086729f",
        "name": "KEYPLUG.LINUX",
        "slug": "keypluglinux"
      },
      {
        "id": "fa7dc1f4-95b5-41e9-ae3b-3a6940acb5b8",
        "name": "KEYPLUG - S1051",
        "slug": "keyplug-s1051"
      }
    ],
    "intrusion_sets": [
      {
        "id": "1b10474e-c16d-4e14-9424-1771483ae094",
        "name": "RedGolf",
        "slug": "redgolf"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "e73b317e-ea92-49b4-a45d-051f7279aced",
        "name": "T1213"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2024-23109"
      },
      {
        "id": "",
        "name": "CVE-2024-23108"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Japan"
      },
      {
        "id": "",
        "name": "Retail"
      }
    ]
  },
  "external_refs": [
    "https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells",
    "https://otx.alienvault.com/pulse/6801707ed48a87a19adaf031"
  ]
}