Threat researchers have uncovered a sophisticated attack campaign targeting FortiWeb web application firewalls across multiple continents, with adversaries deploying the Sliver command-and-control framework to establish persistent access and establish covert proxy infrastructure.
The discovery came from analyzing exposed Silver C2 databases and logs found during routine open-directory threat hunting on Censys, revealing a well-orchestrated operation that exploited public-facing vulnerabilities in outdated FortiWeb devices.
The threat actor gained initial access by exploiting public-facing vulnerabilities on multiple FortiWeb appliances, specifically targeting outdated versions ranging from 5.4.202 to 6.1.62.
Researchers recovered evidence that the attacker leveraged React2Shell (CVE-2025-55182) alongside unknown FortiWeb vulnerabilities to compromise victim infrastructure.
The lack of proof-of-concept code for the FortiWeb exploits suggests the threat actor may have been targeting zero-day vulnerabilities or leveraging weaponized exploits not yet disclosed publicly.
Command-and-Control Infrastructure
The investigation identified two primary C2 domains: ns1.ubunutpackages[.]store and ns1.bafairforce[.]army, both hosting Sliver instances.
The threat actor demonstrated sophistication by creating decoy websites impersonating legitimate services a fake Ubuntu Packages repository and a spoofed Bangladesh Air Force recruitment page.
Analysis of C2 creation timestamps reveals that the first domain was registered in September 2024, but victim onboarding accelerated dramatically between December 22-30, 2025, with 30 unique hosts compromised in just eight days.
The adversaries established persistence through systemd services and supervisor configuration modifications, disguising the Sliver binary as a system updater process at /bin/.root/system-updater.
To facilitate command execution and lateral movement, the threat actor deployed Fast Reverse Proxy (FRP) and a disguised microsocks SOCKS proxy renamed as “cups-lpd,” bound to port 515 to masquerade as the legitimate CUPS Line Printer Daemon. This deception tactic demonstrates considerable operational discipline.
Victimology analysis revealed concentrated targeting in Pakistan and Bangladesh, with multiple victims from the financial and government sectors.
The choice of Bangladesh-themed decoy infrastructure aligns with observed victim locations, suggesting the operation was more targeted than opportunistic.
Analysing the binary we can see this will expose the SOCKS service on port 515, which is noteable as this is the expected port that the legitimate Linux CUPS Line Printer Daemon will listen on.
However, the broader threat lies in a fundamental security blindspot: FortiWeb appliances and similar edge devices typically lack built-in endpoint detection and response (EDR) capabilities, and organizations rarely deploy aftermarket security tools.
Critical Detection Gap
The research underscores a significant detection challenge. Most organizations rely on centralized EDR solutions that monitor traditional endpoints, leaving appliance-level compromises largely invisible.
The researchers noted that evidence of this campaign emerged only because the threat actor accidentally exposed operational logs and databases a stark reminder of how many similar attacks may persist undetected across hardened network perimeter devices.
This campaign highlights the necessity for organizations to implement compensating controls on edge appliances, including security monitoring, vulnerability management programs that prioritize legacy device updates, and network segmentation that limits lateral movement from compromised perimeters.
The sophisticated use of renamed utilities and legitimate-looking services demonstrates that threat actors are adapting their tradecraft to evade detection in environments where traditional security tools provide limited visibility.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.