InfoSecBulletin Cybersecurity for mankind
Threat researchers found a sophisticated attack campaign aimed at FortiWeb firewalls worldwide, using the Sliver C2 framework for ongoing access and hidden proxy setups.
Analyzing exposed Silver C2 databases and logs during open-directory threat hunting on Censys revealed a coordinated attack exploiting vulnerabilities in outdated FortiWeb devices.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
The threat actor gained initial access by exploiting public-facing vulnerabilities on multiple FortiWeb appliances, specifically targeting outdated versions ranging from 5.4.202 to 6.1.62.
Researchers found that the attacker used React2Shell (CVE-2025-55182) and some unknown FortiWeb vulnerabilities to compromise the victim’s infrastructure.
The lack of proof-of-concept code for the FortiWeb exploits suggests the threat actor may have been targeting zero-day vulnerabilities or leveraging weaponized exploits not yet disclosed publicly.
Command-and-Control Infrastructure:
The investigation found two main C2 domains: ns1.ubuntupackages[.]store and ns1.bafairforce[.]army, which both host Sliver instances.
The threat actor showed skill by creating fake websites that mimicked real services, including a false Ubuntu Packages repository and a counterfeit Bangladesh Air Force recruitment page.
The first C2 domain was registered in September 2024, but victim onboarding sped up significantly from December 22-30, 2025, with 30 hosts compromised in eight days.
The adversaries established persistence through systemd services and supervisor configuration modifications, disguising the Sliver binary as a system updater process at /bin/.root/system-updater.
To facilitate command execution and lateral movement, the threat actor deployed Fast Reverse Proxy (FRP) and a disguised microsocks SOCKS proxy renamed as “cups-lpd,” bound to port 515 to masquerade as the legitimate CUPS Line Printer Daemon. This deception tactic demonstrates considerable operational discipline.
Victimology analysis showed targeted attacks in Pakistan and Bangladesh, affecting many victims in the finance and government sectors.
The choice of Bangladesh-themed decoy infrastructure aligns with observed victim locations, suggesting the operation was more targeted than opportunistic.
Analysing the binary we can see this will expose the SOCKS service on port 515, which is noteable as this is the expected port that the legitimate Linux CUPS Line Printer Daemon will listen on.
However, the broader threat lies in a fundamental security blindspot: FortiWeb appliances and similar edge devices typically lack built-in endpoint detection and response (EDR) capabilities, and organizations rarely deploy aftermarket security tools.
Victim:
In the recovered C2 databases, excluding FP or sandbox hostnames, there were 30 unique IP addresses actively beaconing. Victims were noted in Pakistan and Bangladesh, particularly in the financial and government sectors.
IOCs:
Source: gbhackers.com, ctrlaltintel.com
