KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
April 18, 2025, 2:16 p.m.
Description
A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.
Tags
Date
- Created: April 17, 2025, 9:19 p.m.
- Published: April 17, 2025, 9:19 p.m.
- Modified: April 18, 2025, 2:16 p.m.
Indicators
- f21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3
- c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7
- c1da6449513844277acc969aae853a502f177e92f98d37544f94a8987e6e2308
- 98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d
- 827b5d8ed210a85bf06214e500a955f5ad72bd0afd90127de727eb7d5d70187e
- 759246465014acaf3e75a575d6fe36720cfdbfe2eeac1893fe6d7a0474815552
- 7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50
- 53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45
- 468b1799fbda3097b345a59bc1fec1cbc2a015efa473b043a69765a987ad54ed
- 2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6
- 09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95
- 4c1baa3abb774b4c649c87417acaa4396eba40e5028b43fade4c685a405cc3bf
- 154.31.217.200
- combinechina.com
Additional Informations
- Retail
- Japan