KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company

April 18, 2025, 2:16 p.m.

Description

A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.

Date

  • Created: April 17, 2025, 9:19 p.m.
  • Published: April 17, 2025, 9:19 p.m.
  • Modified: April 18, 2025, 2:16 p.m.

Indicators

  • f21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3
  • c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7
  • c1da6449513844277acc969aae853a502f177e92f98d37544f94a8987e6e2308
  • 98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d
  • 827b5d8ed210a85bf06214e500a955f5ad72bd0afd90127de727eb7d5d70187e
  • 759246465014acaf3e75a575d6fe36720cfdbfe2eeac1893fe6d7a0474815552
  • 7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50
  • 53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45
  • 468b1799fbda3097b345a59bc1fec1cbc2a015efa473b043a69765a987ad54ed
  • 2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6
  • 09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95
  • 4c1baa3abb774b4c649c87417acaa4396eba40e5028b43fade4c685a405cc3bf
  • 154.31.217.200
  • combinechina.com

Attack Patterns

Additional Informations

  • Retail
  • Japan

Linked vulnerabilities