Thursday, May 1, 2025
Homecyber securityKeyPlug Malware Server Leak Exposes Fortinet Firewall and VPN Exploitation Tools

KeyPlug Malware Server Leak Exposes Fortinet Firewall and VPN Exploitation Tools

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have stumbled upon a treasure trove of operational tools and scripts linked to the KeyPlug malware, associated with the threat group RedGolf, also known as APT41. 

The server, which was inadvertently exposed for less than 24 hours, provided an unprecedented glimpse into the sophisticated tactics, techniques, and procedures (TTPs) employed by this advanced persistent threat actor.

Exposure of Staging Infrastructure

The server’s brief exposure allowed experts to capture a snapshot of what appears to be an active staging ground for cyberattacks. 

- Advertisement - Google News

Among the most critical findings were scripts targeting Fortinet firewall and VPN infrastructures. 

These tools included a Python script named 1.py, designed specifically to perform reconnaissance against Fortinet appliances by probing for version-specific JavaScript hash values. 

This information can be critical in determining which exploit or attack vectors would be most effective against a particular setup.

KeyPlug Malware
files downloaded in AttackCapture™ from the exposed server.

Further examination of the directory revealed script.py, a tool for fingerprinting content delivery networks (CDNs) to identify systems directly internet-facing, potentially for follow-on targeting. 

Another standout was ws_test.py, which automates the exploitation of Fortinet’s WebSocket CLI access vulnerabilities, specifically focusing on unauthenticated endpoints to execute CLI commands surreptitiously. 

According to the Report, this script was particularly noted for its ability to bypass access controls by spoofing local IP traffic.

Malicious Payloads and Reverse Shells

The directory also disclosed bx.php, an encrypted PHP webshell designed for remote command execution. 

KeyPlug Malware
bx.php script contents.

Its capabilities include receiving encrypted command payloads, decrypting them on-the-fly, and executing commands without leaving easily traceable footprints. 

Additionally, client.ps1, a PowerShell reverse shell script, was found, capable of maintaining encrypted communications over TCP to manage post-exploitation activities discreetly.

To manage these operations, an ELF binary named Server was also part of the toolkit, acting as an HTTP listener on port 8080. 

This listener allows operators to interact with established sessions, manage commands, and maintain operational control over compromised systems.

This leak underscores the importance of monitoring even short-lived infrastructure for malicious activities. 

The tools showcased not only the depth of RedGolf/APT41’s capabilities but also highlighted potential weaknesses in commonly used enterprise security solutions like Fortinet’s products. 

Cybersecurity professionals are urged to ensure their systems are updated with the latest patches, particularly those affecting SSL VPN interfaces, and to monitor for automated access attempts that could signify similar reconnaissance or exploitation efforts.

The exposure of this server marks a significant event in the ongoing cat-and-mouse game between cybersecurity defenders and sophisticated threat actors, providing both insights into adversary tactics and actionable intelligence to bolster defensive measures.

Indicators of Compromise (IOCs)

FilenameSHA-256 Hash
systemed-dev53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45
1.py09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95
bx.php7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50
client.ps1c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7
script.py2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6
Serverf21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3
ws_test.py98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Quantum Computing and Cybersecurity – What CISOs Need to Know Now

As quantum computing transitions from theoretical research to practical application, Chief Information Security Officers...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...