Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days and the deployment of custom cyber attack tools.
The exposure of a misconfigured server tied to the KeyPlug malware—a hallmark of RedGolf operations—has granted security analysts a rare, unvarnished look into the workflows, tooling, and priorities of this advanced threat actor.
The incident came to light when a server, active for less than 24 hours, was briefly exposed to the public internet.
.png
)
Security researchers leveraging Hunt.io’s AttackCapture™ module managed to index and preserve the server’s contents before access was locked down.
What they found was a virtual arsenal of cyber attack scripts and operational tools, many of which have direct relevance to Fortinet devices and enterprise network reconnaissance.
Among the retrieved files were specialized Fortinet firewall and VPN exploit scripts, a PHP-based webshell capable of running encrypted payloads, and a set of network scanning and filtering utilities targeting authentication and development portals belonging to a major Japanese corporation, identified as Shiseido.
The tools included support for post-exploitation actions and remote session management, demonstrating the comprehensive planning of operations typical of state-linked APT groups.
Unpacking the RedGolf Toolset
Analysis of the exposed files reveals a methodical approach:
- Reconnaissance Scripts: Tools such as fscan and script.py were used for large-scale scanning and pinpointing infrastructure not protected by content delivery networks, thereby identifying high-value, directly accessible targets.
- Fortinet-Specific Exploitation: Custom Python scripts targeted Fortinet SSL VPN portals, extracting critical version information via login interface hash values. This data allowed for the matching of discovered devices with known zero-day vulnerabilities (notably CVE-2024-23108 and CVE-2024-23109).
- Websocket CLI Attacks: Additional scripts automated exploitation through Fortinet’s unauthenticated WebSocket CLI endpoints, enabling the attackers to run privileged commands on vulnerable systems without authentication.
- Sophisticated Webshell and Reverse Shell Implants: A compact PHP webshell (bx.php) was capable of in-memory decryption and execution of attacker-supplied payloads, severely hindering forensics and detection. A separate PowerShell script established an AES-encrypted reverse shell for persistent remote access.
- Session Control Binaries: A custom ELF binary enabled direct management of compromised hosts, functioning as a session controller and command relay.
The infrastructure hosting these tools, particularly IP addresses traced to Vultr-hosted servers in Japan and Singapore, has been linked through TLS certificate reuse to RedGolf—a group with significant overlaps with China’s APT4.
RedGolf has previously been observed using the KeyPlug malware framework in global cyber campaigns.
The server’s inclusion of reconnaissance output, live target lists, and automated tooling for zero-day exploitation paints a vivid picture of coordinated, multi-stage attack planning.
The attackers’ ability to quickly stage, launch, and then conceal infrastructure underscores both their sophistication and the challenges defenders face.
This fleeting but illuminating window into RedGolf operations offers vital lessons for enterprise security teams:
- Patch Promptly: Organizations, especially those running Fortinet appliances, should ensure prompt deployment of security updates and continuous monitoring for suspicious access patterns.
- Monitor for Automation: Watch for repeated probes of VPN and firewall endpoints, particularly those mimicking browser user agents or targeting undocumented endpoints.
- Harden Internet-Facing Assets: Limit public exposure of authentication portals and leverage CDN or WAF protections where possible.
As cyber adversaries continue to exploit zero-days and refine their toolkits, only vigilant monitoring and rapid response can blunt the impact of their campaigns.
For defenders, such rare glimpses into attacker operations are invaluable, supplying both immediate indicators of compromise and enduring insight into the machinery of modern cyber espionage.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
